CVE Vulnerability

CVE-2022-25196

Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in.

4.9 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

5.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-1833 Issue Tracking Patch
http://www.openwall.com/lists/oss-security/2022/02/15/2 Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:jenkins:gitlab_authentication:*:*:*:*:*:jenkins:*:*
Information

Published : 2022-02-15 05:15

Updated : 2022-02-23 07:57

NVD link : CVE-2022-25196

Mitre link : CVE-2022-25196

Products Affected
No products.
CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')