GHSA-2vvr-5757-qp87

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.1

Описание

Open redirect vulnerability in Jenkins CAS Plugin

Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

Jenkins CAS Plugin 1.6.1 only redirects to relative (Jenkins) URLs.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:cas-plugin

maven

Затронутые версииВерсия исправления

<= 1.6.0

1.6.1

EPSS

Процентиль: 23%

0.00077

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2021-21673

Дефекты

CWE-601

Связанные уязвимости

CVE-2021-21673

CVSS3: 6.1

nvd

больше 4 лет назад

Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

EPSS

Процентиль: 23%

0.00077

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2021-21673

Дефекты

CWE-601