Jenkins CAS Plugin Session Fixation vulnerability
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.
Advisories for Maven/Org.jenkins-Ci.plugins/Cas-Plugin package
2023
2021
URL Redirection to Untrusted Site (Open Redirect)
Jenkins CAS Plugin improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
2018
Server-Side Request Forgery (SSRF)
A server-side request forgery vulnerability exists in the Jenkins CAS Plugin in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.