PT-2021-14716 · Jenkins · Jenkins Cas Plugin+1
Wadeck Follonier
·
Published
2021-06-30
·
Updated
2023-10-25
·
CVE-2021-21673
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins CAS Plugin versions 1.6.0 and earlier
Description
The issue improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.
Recommendations
For Jenkins CAS Plugin versions 1.6.0 and earlier, update to version 1.6.1 or later, which only redirects to relative Jenkins URLs, mitigating the phishing attack risk.
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Cas Plugin