Authentication Redirection Vulnerability in Jenkins GitLab Plugin by Jenkins
CVE-2022-25196

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Gitlab Authentication Plugin
Vendor: CVE Published:; 15 February 2022

Summary

The Jenkins GitLab Authentication Plugin versions 1.13 and earlier are vulnerable to an issue where the HTTP Referer header is recorded as part of the URL query parameters during the authentication process. This flaw enables attackers with access to Jenkins to create malicious URLs. When users log in, they may be redirected to an attacker-controlled site, potentially leading to phishing attacks or further exploitation.

Affected Version(s)

Jenkins GitLab Authentication Plugin <= 1.13

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/02/15/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 15, 2022
Vulnerability Reserved
Feb 15, 2022