Maven package
org.jenkins-ci.plugins/google-login
pkg:maven/org.jenkins-ci.plugins/google-login
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-41936 | — | < 1.8 | 1.8 | Sep 6, 2023 | Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token. | ||
| CVE-2022-46683 | — | >= 1.4, < 1.7 | 1.7 | Dec 7, 2022 | Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | ||
| CVE-2015-5298 | — | >= 1.0, < 1.2 | 1.2 | Jul 7, 2022 | The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification. | ||
| CVE-2018-1000174 | — | < 1.3.1 | 1.3.1 | May 8, 2018 | An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login. | ||
| CVE-2018-1000173 | — | < 1.3.1 | 1.3.1 | May 8, 2018 | A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. |
- CVE-2023-41936Sep 6, 2023affected < 1.8fixed 1.8
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.
- CVE-2022-46683Dec 7, 2022affected >= 1.4, < 1.7fixed 1.7
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
- CVE-2015-5298Jul 7, 2022affected >= 1.0, < 1.2fixed 1.2
The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification.
- CVE-2018-1000174May 8, 2018affected < 1.3.1fixed 1.3.1
An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login.
- CVE-2018-1000173May 8, 2018affected < 1.3.1fixed 1.3.1
A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.