CVE-2023-50771: Open redirect vulnerability in Jenkins OpenId Connect Authentication Plugin

December 13, 2023 (updated November 15, 2024)

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

References

github.com/advisories/GHSA-9qv8-7jfq-73j2
github.com/jenkins-infra/update-center2/pull/767
github.com/jenkinsci/oic-auth-plugin
github.com/jenkinsci/oic-auth-plugin/commit/a97a4041f39c85aa746c047ac14ee69199dadf05
github.com/jenkinsci/oic-auth-plugin/pull/261
github.com/jenkinsci/oic-auth-plugin/releases/tag/oic-auth-3.0
nvd.nist.gov/vuln/detail/CVE-2023-50771
www.jenkins.io/security/advisory/2023-12-13/

Detect and mitigate CVE-2023-50771 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →