CVE-2019-10372

Name of the Vulnerable Software and Affected Versions Jenkins Gitlab Authentication Plugin version 1.4 and earlier

Description The issue allows attackers to redirect users to a URL outside Jenkins after a successful login, implementing an open redirect. This can be used by malicious sites to conduct phishing attacks, where users expect to have just logged in to Jenkins. The GitLab Authentication Plugin records the HTTP Referer header when the authentication process starts and redirects users to that URL when the user has finished logging in.

Recommendations For Jenkins Gitlab Authentication Plugin version 1.4 and earlier, consider disabling the redirect functionality in the GitLabSecurityRealm.java until a patch is available. Restrict access to the Referer header to minimize the risk of exploitation. Avoid using the Referer header in the authentication process until the issue is resolved.