Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Openid
(Jenkins)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 6 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-01-26 | CVE-2023-24445 | Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | Openid | 6.1 | ||
| 2023-01-26 | CVE-2023-24444 | Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login. | Openid | 9.8 | ||
| 2023-01-26 | CVE-2023-24446 | A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account. | Openid | 8.8 | ||
| 2023-12-13 | CVE-2023-50770 | Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins. | Openid | 6.7 | ||
| 2019-04-04 | CVE-2019-1003098 | A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | Openid | 6.5 | ||
| 2019-04-04 | CVE-2019-1003099 | A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | Openid | 6.5 |