CVE-2022-25196

CWE-601 — Open Redirect6 documents6 sources

Severity

5.4MEDIUM

EPSS

0.0%

top 94.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Gitlab Authentication Plugin Jenkins Gitlab Authentication

Timeline

PublishedFeb 15

Latest updateFeb 16

Description

Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_gitlab_authentication_pluginunspecified — 1.13

▶NVDjenkins/gitlab_authentication1.13

▶Mavenorg.jenkins-ci.plugins:gitlab-oauth1.13

Patches

Patch: www.jenkins.io ↗Patch: www.jenkins.io ↗

🔴Vulnerability Details

OSV

Open redirect vulnerability in Jenkins GitLab Authentication Plugin↗2022-02-16

▶

GHSA

Open redirect vulnerability in Jenkins GitLab Authentication Plugin↗2022-02-16

▶

CVEList

CVE-2022-25196: Jenkins GitLab Authentication Plugin 1↗2022-02-15

▶

📋Vendor Advisories

GitLab

CVE-2022-25196: Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication proc↗2022-02-15

▶

Jenkins

Jenkins Security Advisory 2022-02-15↗2022-02-15

▶