Jenkins Project Jenkins Openid Plugin vulnerabilities

CVE-2023-24444 [CRITICAL] CWE-404 CVE-2023-24444: Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login. Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

CVE-2023-24446 [HIGH] CWE-352 CVE-2023-24446: A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows at A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.

CVE-2023-24445 [MEDIUM] CWE-601 CVE-2023-24445: Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legit Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

CVE-2019-1003098 [MEDIUM] CWE-352 CVE-2019-1003098: A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.De A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.

CVE-2019-1003099 [MEDIUM] CWE-862 CVE-2019-1003099: A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doV A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.