CVE-2015-5298 — Improper Authentication in Project Jenkins Google Login Plugin

CWE-287 — Improper Authentication5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.7%

top 27.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Google Login Plugin Jenkins Google Login

Timeline

PublishedJul 7

Latest updateJul 8

Description

The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_google_login_pluginJenkins Google Login Plugin 1.0 and 1.1

▶NVDjenkins/google_login1.0, 1.1+1

🔴Vulnerability Details

OSV

Jenkins Google Login Plugin 1.0 and 1.1 allows anonymous users to authenticate through client-side request modification↗2022-07-08

▶

GHSA

Jenkins Google Login Plugin 1.0 and 1.1 allows anonymous users to authenticate through client-side request modification↗2022-07-08

▶

CVEList

CVE-2015-5298: The Google Login Plugin (versions 1↗2022-07-07

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2015-10-12↗2015-10-12

▶