Jenkins OpenShift Login Plugin vulnerable to Open Redirect
Moderate severity
GitHub Reviewed
Published
Jul 12, 2023
to the GitHub Advisory Database
•
Updated Nov 8, 2023
Package
Affected versions
< 1.1.0.230.v5d7030b
Patched versions
1.1.0.230.v5d7030b
Description
Published by the National Vulnerability Database
Jul 12, 2023
Published to the GitHub Advisory Database
Jul 12, 2023
Reviewed
Jul 12, 2023
Last updated
Nov 8, 2023
Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.
OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432 only redirects to relative (Jenkins) URLs.
References