CVE-2018-1000174
Description
An open redirect in Jenkins Google Login Plugin 1.3 and older allows attackers to redirect users to arbitrary URLs after login, enabling phishing attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An open redirect in Jenkins Google Login Plugin 1.3 and older allows attackers to redirect users to arbitrary URLs after login, enabling phishing attacks.
Vulnerability
An open redirect vulnerability exists in the Jenkins Google Login Plugin, version 1.3 and older, in the GoogleOAuth2SecurityRealm.java file. The plugin does not validate user-supplied redirect URLs after a successful Google OAuth login, allowing attackers to specify an arbitrary URL via a query parameter. This affects all installations using the affected plugin version [1], [2].
Exploitation
An attacker can craft a malicious link that, after a victim successfully authenticates via Google Login in Jenkins, redirects the victim to an arbitrary external URL controlled by the attacker. The attacker only needs to trick a Jenkins user into clicking the crafted link and completing the login process; no additional privileges are required [2].
Impact
Successful exploitation allows the attacker to perform phishing attacks by redirecting victims to malicious sites after login. This can lead to credential theft or other social engineering attacks, as the victim may believe they are still interacting with the legitimate Jenkins instance. The impact is limited to redirecting the user's browser; no Jenkins data is directly exposed [1], [2].
Mitigation
Users should upgrade to Google Login Plugin version 1.4 or later, which fixes the issue by only performing redirects to relative URLs. The fix was included in the 2018-04-16 security advisory [2]. No workarounds are documented; upgrading the plugin is the recommended mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-loginMaven | < 1.3.1 | 1.3.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-j279-cx9m-jv3wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000174ghsaADVISORY
- www.securityfocus.com/bid/104211ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2018-04-16ghsaWEB
- jenkins.io/security/advisory/2018-04-16/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.