Session fixation vulnerability in Jenkins OpenID Plugin
Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.
Advisories for Maven/Org.jenkins-Ci.plugins/Openid package
2023
Open redirect vulnerability in Jenkins OpenID Plugin
Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
Cross-Site Request Forgery (CSRF)
A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.
2022
Missing Authorization
A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
Cross-Site Request Forgery (CSRF)
A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server.