GHSA-mvq8-hgxh-4v2g

Source

https://github.com/advisories/GHSA-mvq8-hgxh-4v2g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-mvq8-hgxh-4v2g/GHSA-mvq8-hgxh-4v2g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mvq8-hgxh-4v2g

Aliases

CVE-2022-25196

Published

2022-02-16T00:01:22Z

Modified

2024-02-16T07:55:31.570823Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Open redirect vulnerability in Jenkins GitLab Authentication Plugin

Details

Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in.

This issue is caused by an incomplete fix of SECURITY-796.

Database specific

{
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "cwe_ids": [
        "CWE-601"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-01T22:38:36Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:gitlab-oauth

Package

Name: org.jenkins-ci.plugins:gitlab-oauth; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/gitlab-oauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.13

Affected versions

1.*

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13