The vulnerability is a cross‑site request forgery in the Jenkins Gitee Plugin, versions 1288.v18b_deb_c9069b_ and earlier. It allows an attacker to cause a Jenkins instance to initiate a network connection to an arbitrary URL supplied by the attacker, using a credential ID that the attacker has gathered through another method. The attack does not provide code execution on the Jenkins host, but it enables the attacker to abuse internal credentials to reach external systems or services, potentially exfiltrating data or performing unauthorized actions on those targets.

Any Jenkins installation that has the Gitee Plugin dated 1288.v18b_deb_c9069b_ or older is vulnerable. The affected component is the Jenkins Gitee Plugin provided by the Jenkins Project.

The CVSS score is 5.4, indicating moderate severity; the EPSS score is not available, so the overall quantification of risk remains somewhat limited. Based on the description, the attack vector is inferred to be via a web request: the attacker must supply a forged CSRF‑protected request, possibly requiring a valid session or an authenticated user’s cooperation. The attacker also needs to know a valid Jenkins credential ID that can be used to authenticate with an external service. Once the conditions are met, the vulnerable service will initiate an HTTP request to an attacker‑supplied URL using the supplied credentials, which could lead to data exfiltration or unauthorized actions on the target. The flaw is not listed in CISA KEV. The likelihood of exploitation depends on the prevalence of the vulnerable plugin version and the presence of exposed credential IDs.