CVE-2023-24457

Name of the Vulnerable Software and Affected Versions Jenkins Keycloak Authentication Plugin versions 2.3.0 and earlier

Description A cross-site request forgery (CSRF) issue allows attackers to trick users into logging in to the attacker's account. This can be achieved by exploiting the login functionality, potentially through manipulated API endpoints such as "/login" or "/authenticate", although specific endpoints are not mentioned. The attackers may utilize vulnerable parameters like username and password to execute the attack.

Recommendations For Jenkins Keycloak Authentication Plugin versions 2.3.0 and earlier, consider disabling the login functionality through the Keycloak Authentication Plugin until a patch is available. Restrict access to authentication modules to minimize the risk of exploitation. Avoid using sensitive parameters in authentication requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.