Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-35gf-xjgf-96c5: Jenkins OpenShift Login Plugin vulnerable to Open Redirect

Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432 only redirects to relative (Jenkins) URLs.

ghsa
#git#java#perl#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-37947

Jenkins OpenShift Login Plugin vulnerable to Open Redirect

Moderate severity GitHub Reviewed Published Jul 12, 2023 to the GitHub Advisory Database • Updated Jul 12, 2023

Package

maven org.openshift.jenkins:openshift-login (Maven)

Affected versions

< 1.1.0.230.v5d7030b

Patched versions

1.1.0.230.v5d7030b

Published to the GitHub Advisory Database

Jul 12, 2023

Last updated

Jul 12, 2023

Related news

CVE-2023-37948: Jenkins Security Advisory 2023-07-12

Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not validate SSH host keys when connecting OCI clouds, enabling man-in-the-middle attacks.

CVE-2023-37950: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2023-37963: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.

CVE-2023-37956: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

CVE-2023-37951: Jenkins Security Advisory 2023-07-12

Jenkins mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

CVE-2023-37961: Jenkins Security Advisory 2023-07-12

A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account.

CVE-2023-37947: Jenkins Security Advisory 2023-07-12

Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

CVE-2023-37944: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins Datadog Plugin 5.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-37949: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-37953: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-37945: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 through 2.3.0 (both inclusive) allows attackers with Overall/Read permission to download a string representation of the current security realm.