Advisories for Maven/Org.jenkins-Ci.plugins/Saml package

Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache. This allows attackers able to obtain information about the SAML authentication flow between a user’s web browser and Jenkins to replay those requests, authenticating to Jenkins as that user. SAML Plugin 4.583.585.v22ccc1139f55 implements a replay cache that rejects replayed requests.

Jenkins SAML Plugin allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

A session fixation vulnerability exists in the Jenkins SAML Plugin that allows unauthorized attackers to impersonate another users if they can control the pre-authentication session.