High severity7.4NVD Advisory· Published May 17, 2016· Updated May 6, 2026

CVE-2016-3726

Description

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	>= 1.652, < 2.3	2.3
org.jenkins-ci.main:jenkins-coreMaven	< 1.651.2	1.651.2

Affected products

Jenkins/Jenkins2 versions
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=2.2
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.651.1
Red Hat/Openshift2 versions
cpe:2.3:a:redhat:openshift:3.1:*:*:*:enterprise:*:*:*+ 1 more
- cpe:2.3:a:redhat:openshift:3.1:*:*:*:enterprise:*:*:*
- cpe:2.3:a:redhat:openshift:3.2:*:*:*:enterprise:*:*:*

Patches

2ed0c046dfbb

[FIX SECURITY-276] Don't allow open redirect using scheme-rel. URL

https://github.com/jenkinsci/jenkinsDaniel BeckApr 25, 2016via ghsa

commit

4 files changed · +17 −3

core/src/main/java/hudson/model/DirectoryBrowserSupport.java+1 −1 modified

@@ -158,7 +158,7 @@ private void serveFile(StaplerRequest req, StaplerResponse rsp, VirtualFile root
         String pattern = req.getParameter("pattern");
         if(pattern==null)
             pattern = req.getParameter("path"); // compatibility with Hudson<1.129
-        if(pattern!=null && !Util.isAbsoluteUri(pattern)) {// avoid open redirect
+        if(pattern!=null && !Util.isAbsoluteOrSchemeRelativeUri(pattern)) {// avoid open redirect
             rsp.sendRedirect2(pattern);
             return;
         }

core/src/main/java/hudson/model/ParametersDefinitionProperty.java+1 −1 modified

@@ -158,7 +158,7 @@ public void _doBuild(StaplerRequest req, StaplerResponse rsp, @QueryParameter Ti
                 getJob(), delay.getTime(), new ParametersAction(values), new CauseAction(new Cause.UserIdCause()));
         if (item!=null) {
             String url = formData.optString("redirectTo");
-            if (url==null || Util.isAbsoluteUri(url))   // avoid open redirect
+            if (url==null || Util.isAbsoluteOrSchemeRelativeUri(url))   // avoid open redirect
                 url = req.getContextPath()+'/'+item.getUrl();
             rsp.sendRedirect(formData.optInt("statusCode",SC_CREATED), url);
         } else

core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java+1 −1 modified

@@ -53,7 +53,7 @@ protected String determineTargetUrl(HttpServletRequest request) {
         if (targetUrl == null)
             return getDefaultTargetUrl();
 
-        if (Util.isAbsoluteUri(targetUrl))
+        if (Util.isAbsoluteOrSchemeRelativeUri(targetUrl))
             return "."; // avoid open redirect
 
         // URL returned from determineTargetUrl() is resolved against the context path,

core/src/main/java/hudson/Util.java+14 −0 modified

@@ -77,6 +77,8 @@
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import org.apache.commons.codec.digest.DigestUtils;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 
 /**
  * Various utility methods that don't have more proper home.
@@ -1454,7 +1456,12 @@ public static String intern(@CheckForNull String s) {
      * The same algorithm can be seen in {@link URI}, but
      * implementing this by ourselves allow it to be more lenient about
      * escaping of URI.
+     *
+     * @deprecated Use {@code isAbsoluteOrSchemeRelativeUri} instead if your goal is to prevent open redirects
      */
+    @Deprecated
+    @RestrictedSince("1.651.2 / 2.TODO")
+    @Restricted(NoExternalUse.class)
     public static boolean isAbsoluteUri(@Nonnull String uri) {
         int idx = uri.indexOf(':');
         if (idx<0)  return false;   // no ':'. can't be absolute
@@ -1463,6 +1470,13 @@ public static boolean isAbsoluteUri(@Nonnull String uri) {
         return idx<_indexOf(uri, '#') && idx<_indexOf(uri,'?') && idx<_indexOf(uri,'/');
     }
 
+    /**
+     * Return true iff the parameter denotes an absolute URI, or a scheme-relative URI.
+     */
+    public static boolean isAbsoluteOrSchemeRelativeUri(@Nonnull String uri) {
+        return isAbsoluteUri(uri) || uri.startsWith("//");
+    }
+
     /**
      * Works like {@link String#indexOf(int)} but 'not found' is returned as s.length(), not -1.
      * This enables more straight-forward comparison.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rx4r-gxpc-h85xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-3726ghsaADVISORY
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11nvdVendor AdvisoryWEB
www.cloudbees.com/jenkins-security-advisory-2016-05-11nvdVendor AdvisoryWEB
rhn.redhat.com/errata/RHSA-2016-1773.htmlnvdWEB
access.redhat.com/errata/RHSA-2016:1206nvdWEB
github.com/jenkinsci/jenkins/commit/2ed0c046dfbb2003a17df27c53777e72c6eaff25ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000