CVE-2022-46683
Description
Jenkins Google Login Plugin 1.4-1.6 has an open redirect vulnerability allowing phishing attacks by forwarding users to arbitrary sites after login.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Google Login Plugin 1.4-1.6 has an open redirect vulnerability allowing phishing attacks by forwarding users to arbitrary sites after login.
Vulnerability
Overview
Jenkins Google Login Plugin versions 1.4 through 1.6 contain an open redirect vulnerability. The plugin improperly validates the redirect URL after a successful Google OAuth login, allowing an attacker to specify an arbitrary external URL as the redirect target [1]. The root cause is flawed logic in the doCommenceLogin method, which incorrectly determines whether a redirect URL is safe [2].
Exploitation
An attacker can craft a Jenkins URL with a malicious from parameter or manipulate the Referer header. When a victim clicks this link and completes Google authentication, the plugin redirects them to the attacker-controlled site instead of staying within Jenkins [1]. No authentication or special permissions are required to exploit this; the attacker only needs to convince a user to visit the crafted URL.
Impact
Successful exploitation enables phishing attacks. Users may be redirected to a fake login page or malicious site, potentially leading to credential theft or further compromise. The vulnerability is rated Medium severity (CVSS 3.1 score 4.3) [1].
Mitigation
The issue is fixed in Google Login Plugin version 1.7, which restricts redirects to relative (Jenkins) URLs only [1]. The fix was implemented in commit 532d714, which introduces a getRedirectOnFinish method that properly uses Util.isSafeToRedirectTo to validate the redirect target [2]. Users should upgrade to version 1.7 or later immediately.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-loginMaven | >= 1.4, < 1.7 | 1.7 |
Affected products
2- Range: 1.4
Patches
1532d714943ff[SECURITY-2967]
2 files changed · +29 −10
src/main/java/org/jenkinsci/plugins/googlelogin/GoogleOAuth2SecurityRealm.java+13 −8 modified@@ -186,14 +186,7 @@ protected String getPostLogOutUrl(StaplerRequest req, Authentication auth) { @SuppressWarnings("unused") // stapler @Restricted(DoNotUse.class) // stapler only public HttpResponse doCommenceLogin(StaplerRequest request, @QueryParameter String from, @Header("Referer") final String referer) throws IOException { - final String redirectOnFinish; - if (from != null && ! Util.isSafeToRedirectTo(from)) { - redirectOnFinish = from; - } else if (referer != null && ! Util.isSafeToRedirectTo(referer)) { - redirectOnFinish = referer; - } else { - redirectOnFinish = getRootURL(); - } + final String redirectOnFinish = getRedirectOnFinish(from, referer); final AuthorizationCodeFlow flow = new AuthorizationCodeFlow.Builder( BearerToken.queryParameterAccessMethod(), HTTP_TRANSPORT, JSON_FACTORY, TOKEN_SERVER_URL, @@ -255,6 +248,18 @@ public void initialize(HttpRequest request) throws IOException { return oAuthSession.doCommenceLogin(flow); } + String getRedirectOnFinish(String from, String referer) { + final String redirectOnFinish; + if (from != null && Util.isSafeToRedirectTo(from)) { + redirectOnFinish = from; + } else if (referer != null && Util.isSafeToRedirectTo(referer)) { + redirectOnFinish = referer; + } else { + redirectOnFinish = getRootURL(); + } + return redirectOnFinish; + } + @VisibleForTesting boolean isDomainValid(Object tokenDomain) { if (domain == null) {
src/test/java/org/jenkinsci/plugins/googlelogin/GoogleOAuth2SecurityRealmTest.java+16 −2 modified@@ -4,16 +4,16 @@ import org.junit.Test; import org.jvnet.hudson.test.JenkinsRule; -import org.apache.commons.lang.StringUtils; import java.io.IOException; +import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; public class GoogleOAuth2SecurityRealmTest { @Rule - public JenkinsRule jenkins = new JenkinsRule(); + public JenkinsRule r = new JenkinsRule(); @Test public void accidentallyBlank() throws IOException { @@ -55,4 +55,18 @@ private GoogleOAuth2SecurityRealm setupInstanceWithDomains(String domains) throw String clientSecret = "clientSecret"; return new GoogleOAuth2SecurityRealm(clientId, clientSecret, domains); } + + @Test + public void testRedirect() throws Exception { + GoogleOAuth2SecurityRealm instance = setupInstanceWithDomains("acme.com"); + assertEquals("relative", instance.getRedirectOnFinish("relative", null)); + assertEquals("relative", instance.getRedirectOnFinish("relative", "referrer")); + assertEquals("relative", instance.getRedirectOnFinish("relative", "http://absolute")); + assertEquals("relative", instance.getRedirectOnFinish("http://absolute", "relative")); + assertEquals("relative", instance.getRedirectOnFinish("//protocol-relative", "relative")); + assertEquals("relative", instance.getRedirectOnFinish(null, "relative")); + String rootURL = r.getURL().toExternalForm(); + assertEquals(rootURL, instance.getRedirectOnFinish("http://absolute", null)); + assertEquals(rootURL, instance.getRedirectOnFinish("http://absolute", "http://absolute2")); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
1- Jenkins Security Advisory 2022-12-07Jenkins Security Advisories · Dec 7, 2022