Moderate severityNVD Advisory· Published Dec 13, 2023· Updated Feb 13, 2025

CVE-2023-50771

Description

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier allows phishing by not validating redirect URLs after login.

Vulnerability

Description Jenkins OpenId Connect Authentication Plugin 2.6 and earlier does not properly validate that a redirect URL after login is legitimately pointing to Jenkins. This flaw allows an attacker to craft a redirect to a malicious site, enabling phishing attacks [1][4].

Exploitation

An attacker can trick a user into clicking a specially crafted login link. After successful authentication via OpenId Connect, the plugin redirects the user to the attacker-controlled URL instead of the legitimate Jenkins instance. No special privileges are required beyond the ability to craft such a link [1][3].

Impact

Successful exploitation can lead to credential theft or session hijacking, as users may enter sensitive information on the phishing page. The attack does not compromise the Jenkins instance itself but targets user credentials [3][4].

Mitigation

As of the Jenkins Security Advisory 2023-12-13, no fix is available for this plugin. Users are advised to monitor for updates or consider disabling the plugin if not essential [1][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:oic-authMaven	< 3.0	3.0

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/oic-auth
Range: < 3.0
Jenkins Project/OpenId Connect Authentication Plugincpe-rescue
Range: 0

Patches

a97a4041f39c

Add test for redirect url validation

https://github.com/jenkinsci/oic-auth-pluginBenjamin WenzelJan 31, 2024via ghsa

commit

2 files changed · +17 −1

src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java+1 −1 modified

@@ -730,7 +730,7 @@ protected AuthorizationCodeFlow buildAuthorizationCodeFlow() {
         return builder.build();
     }
 
-    private String getValidRedirectUrl(String url) {
+    protected String getValidRedirectUrl(String url) {
         if (url != null && !url.isEmpty()) {
             // Check if the URL is relative and starts with a slash
             if (url.startsWith("/")) {

src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmTest.java+16 −0 modified

@@ -4,6 +4,8 @@
 import com.github.tomakehurst.wiremock.junit.WireMockRule;
 import hudson.util.Secret;
 import java.io.IOException;
+import java.net.MalformedURLException;
+
 import org.acegisecurity.AuthenticationManager;
 import org.acegisecurity.BadCredentialsException;
 import org.acegisecurity.GrantedAuthority;
@@ -16,6 +18,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThrows;
 
 public class OicSecurityRealmTest {
 
@@ -83,4 +86,17 @@ public void testShouldSetNullClientSecretWhenSecretIsNone() throws IOException {
             .build();
         assertEquals("none", Secret.toString(realm.getClientSecret()));
     }
+
+    @Test
+    public void testGetValidRedirectUrl() throws IOException {
+        String rootUrl = "http://localhost:" + wireMockRule.port() + "/jenkins/";
+
+        TestRealm realm = new TestRealm.Builder(wireMockRule)
+                .WithMinimalDefaults().build();
+        assertEquals(rootUrl + "foo", realm.getValidRedirectUrl("/foo"));
+        assertEquals(rootUrl + "bar", realm.getValidRedirectUrl(rootUrl + "bar"));
+        assertEquals(rootUrl, realm.getValidRedirectUrl(null));
+        assertEquals(rootUrl, realm.getValidRedirectUrl(""));
+        assertThrows(MalformedURLException.class, () -> realm.getValidRedirectUrl("foobar"));
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9qv8-7jfq-73j2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-50771ghsaADVISORY
www.jenkins.io/security/advisory/2023-12-13/ghsavendor-advisoryWEB
www.openwall.com/lists/oss-security/2023/12/13/4ghsaWEB
github.com/jenkins-infra/update-center2/pull/767ghsaWEB
github.com/jenkinsci/oic-auth-plugin/commit/a97a4041f39c85aa746c047ac14ee69199dadf05ghsaWEB
github.com/jenkinsci/oic-auth-plugin/pull/261ghsaWEB
github.com/jenkinsci/oic-auth-plugin/releases/tag/oic-auth-3.0ghsaWEB

News mentions

Jenkins Security Advisory 2023-12-13
Jenkins Security Advisories · Dec 13, 2023

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000