Maven package

org.jenkins-ci.plugins/openid

pkg:maven/org.jenkins-ci.plugins/openid

Vulnerabilities (5)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-24446	—	<= 2.4	—	Jan 24, 2023	A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.
CVE-2023-24445	—	<= 2.4	—	Jan 24, 2023	Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
CVE-2023-24444	—	<= 2.4	—	Jan 24, 2023	Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.
CVE-2019-1003099	—	< 2.4	2.4	Apr 4, 2019	A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
CVE-2019-1003098	—	< 2.4	2.4	Apr 4, 2019	A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.

CVE-2023-24446Jan 24, 2023
affected <= 2.4
A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.
CVE-2023-24445Jan 24, 2023
affected <= 2.4
Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
CVE-2023-24444Jan 24, 2023
affected <= 2.4
Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.
CVE-2019-1003099Apr 4, 2019
affected < 2.4fixed 2.4
A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
CVE-2019-1003098Apr 4, 2019
affected < 2.4fixed 2.4
A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.