CVE-2015-5298
Description
The Jenkins Google Login Plugin versions 1.0 and 1.1 allow attackers to bypass domain restrictions by modifying client-side requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Jenkins Google Login Plugin versions 1.0 and 1.1 allow attackers to bypass domain restrictions by modifying client-side requests.
Vulnerability
Overview
The Google Login Plugin for Jenkins (versions 1.0 and 1.1) intended to restrict authentication to users from a specific Google Apps domain. However, the plugin incorrectly relied on client-side parameters to enforce this restriction. An attacker can modify the OAuth request on the client side, removing or altering the domain check, thereby authenticating successfully even when the Jenkins instance is configured to only allow a particular domain [1][2][3].
Exploitation
The attack does not require any prior authentication. The attacker initiates the OAuth flow from Jenkins, which redirects to Google's OAuth page. By intercepting and modifying the request (e.g., using a proxy like Burp Suite), the attacker can discard the domain parameter or spoof a domain that passes validation. This is a client-side bypass, meaning the server does not independently verify the domain after the OAuth callback [2][3].
Impact
Successful exploitation allows any anonymous user to log in to Jenkins as an authenticated user. The actual impact depends on the Jenkins instance's permission configuration; if the authenticated group has broad access, the attacker may gain administrative privileges or cause significant damage. Jenkins assessed the severity as medium [3].
Mitigation
Users should upgrade the Google Login Plugin to version 1.2 or later, which fixes the validation. The updated plugin properly verifies the domain server-side. The update is available through the Jenkins plugin manager or by downloading the HPI file [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-loginMaven | >= 1.0, < 1.2 | 1.2 |
Affected products
2- Google Login Plugin/Google Login Plugindescription
Patches
1cb470f0720d5[SECURITY-208] Validate the hd claim
1 file changed · +8 −1
src/main/java/org/jenkinsci/plugins/googlelogin/GoogleOAuth2SecurityRealm.java+8 −1 modified@@ -28,6 +28,8 @@ import com.google.api.client.auth.oauth2.ClientParametersAuthentication; import com.google.api.client.auth.oauth2.Credential; import com.google.api.client.auth.oauth2.TokenResponse; +import com.google.api.client.auth.openidconnect.IdToken; +import com.google.api.client.auth.openidconnect.IdTokenResponse; import com.google.api.client.http.GenericUrl; import com.google.api.client.http.HttpRequest; import com.google.api.client.http.HttpRequestFactory; @@ -168,7 +170,12 @@ public HttpResponse doCommenceLogin(@QueryParameter String from, @Header("Refer @Override public HttpResponse onSuccess(String authorizationCode) { try { - TokenResponse response = flow.newTokenRequest(authorizationCode).setRedirectUri(buildOAuthRedirectUrl()).execute(); + IdTokenResponse response = IdTokenResponse.execute( + flow.newTokenRequest(authorizationCode).setRedirectUri(buildOAuthRedirectUrl())); + IdToken idToken = IdToken.parse(JSON_FACTORY,response.getIdToken()); + if (domain != null && ! domain.equals(idToken.getPayload().get("hd"))) { + return HttpResponses.errorWithoutStack(401, "Unauthorized"); + } final Credential credential = flow.createAndStoreCredential(response, null); HttpRequestFactory requestFactory =
Vulnerability mechanics
Root cause
"Missing validation of the `hd` (hosted domain) claim in the OAuth ID token allows users from any Google domain to authenticate."
Attack vector
An attacker who does not belong to the configured Google Apps domain can still complete the OAuth 2.0 flow with any Google account. Because the plugin did not validate the `hd` claim in the ID token [CWE-287], the server accepted the token as valid even when the user's domain did not match the configured domain. The attacker simply authenticates with a non-domain Google account and the login succeeds, bypassing the intended domain restriction.
Affected code
The vulnerability resides in `GoogleOAuth2SecurityRealm.java` in the `onSuccess` callback of the `doCommenceLogin` method. The original code used a generic `TokenResponse` and never inspected the `hd` (hosted domain) claim of the returned JSON Web Token.
What the fix does
The patch changes the token request to use `IdTokenResponse` instead of `TokenResponse`, then parses the returned `IdToken` and extracts the `hd` claim. If a domain has been configured and the `hd` claim does not match, the request is rejected with a 401 Unauthorized response [patch_id=2247101]. This ensures that only users whose Google account belongs to the configured hosted domain can authenticate.
Preconditions
- configJenkins instance must have the Google Login Plugin (version 1.0 or 1.1) installed and configured with a Google Apps Domain restriction.
- authAttacker must have a valid Google account (any domain) and be able to initiate the OAuth login flow.
- networkAttacker must be able to reach the Jenkins login endpoint over the network.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p487-39h9-hm84ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-5298ghsaADVISORY
- exfiltrated.com/research-CVE-2015-5298.phpghsax_refsource_MISCWEB
- www.jenkins.io/security/advisory/2015-10-12ghsaWEB
- www.jenkins.io/security/advisory/2015-10-12/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.