CVE-2022-25196

Published: Feb 15, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in.

Affected (1)

Products: Jenkins: Gitlab Authentication

1 product

Gitlab Authentication

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Gitlab Authentication	Up to 1.13

Related CWEs

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (4)

http://www.openwall.com/lists/oss-security/2022/02/15/2

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-1833

Source: jenkinsci-cert@googlegroups.com

Issue TrackingPatchVendor Advisory

http://www.openwall.com/lists/oss-security/2022/02/15/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-1833

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.