CVE-2021-21673
Description
Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins CAS Plugin 1.6.0 and earlier contains an open redirect vulnerability after login, allowing attackers to perform phishing attacks.
Vulnerability
Jenkins CAS Plugin versions 1.6.0 and earlier improperly validate redirect URLs after login, allowing attackers to craft malicious links that appear to point to Jenkins [1][2][3]. This vulnerability affects all configurations using the affected plugin versions.
Exploitation
An attacker can exploit this vulnerability by tricking a user into clicking a specially crafted link that redirects to an external malicious site after a legitimate login process. No authentication or special privileges are required; the attacker only needs knowledge of the Jenkins instance URL [3][4].
Impact
Successful exploitation enables an attacker to conduct phishing attacks, potentially stealing user credentials or sensitive information by directing victims to a fake login page [2][3].
Mitigation
The vulnerability is fixed in CAS Plugin version 1.6.1, released on June 30, 2021 [4]. Users should upgrade to this version or later immediately. No workarounds are available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:cas-pluginMaven | < 1.6.1 | 1.6.1 |
Affected products
3- Range: <=1.6.0
- Range: unspecified
Patches
18ac536a95315Fixed SECURITY-2387
2 files changed · +15 −5
CHANGELOG.md+2 −0 modified@@ -2,6 +2,8 @@ ## [Unreleased] +- Fixed security issue (SECURITY-2387). + ## [1.6.0] - 2021-02-18 - Added option to customize validation URL parameters in advanced protocol configuration.
src/main/java/org/jenkinsci/plugins/cas/spring/security/SessionUrlAuthenticationSuccessHandler.java+13 −5 modified@@ -7,6 +7,8 @@ import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; import org.springframework.util.StringUtils; +import hudson.Util; + /** * <tt>AuthenticationSuccessHandler</tt> that behaves like <tt>SimpleUrlAuthenticationSuccessHandler</tt>, * but also looks for a configurable session attribute holding the target URL to redirect to. @@ -39,15 +41,21 @@ protected String determineTargetUrl(HttpServletRequest request, HttpServletRespo } if (isAlwaysUseDefaultTargetUrl() || !StringUtils.hasText(targetUrl) || (getTargetUrlParameter() != null && StringUtils.hasText(request.getParameter(getTargetUrlParameter())))) { - return super.determineTargetUrl(request, response); + targetUrl = super.determineTargetUrl(request, response); + } else { + logger.debug("Found targetUrlSessionAttribute in request: " + targetUrl); } - logger.debug("Found targetUrlSessionAttribute in request: " + targetUrl); - // URL returned from determineTargetUrl() is resolved against the context path, // whereas the "from" URL is resolved against the top of the website, so adjust this. - if (targetUrl.startsWith(request.getContextPath())) - return targetUrl.substring(request.getContextPath().length()); + if (targetUrl.startsWith(request.getContextPath())) { + targetUrl = targetUrl.substring(request.getContextPath().length()); + } + + if (!Util.isSafeToRedirectTo(targetUrl)) { + logger.debug("Target URL is not safe to redirect to and will be ignored: " + targetUrl); + targetUrl = getDefaultTargetUrl(); + } return targetUrl; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2vvr-5757-qp87ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21673ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/06/30/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/cas-plugin/commit/8ac536a953156160dbabb61bdb3b9bc75c3d0ef9ghsaWEB
- www.jenkins.io/security/advisory/2021-06-30/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2021-06-30Jenkins Security Advisories · Jun 30, 2021