Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-25196

Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP Referer header as part of the URL query parameters when the authentication process starts, allowing attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in.

Published

2022-02-15T17:15:10.537

Last Modified

2024-11-21T06:51:47.397

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

4.9

Weaknesses

Type: Primary
CWE-601

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jenkins	gitlab_authentication	≤ 1.13	Yes

References

http://www.openwall.com/lists/oss-security/2022/02/15/2 Mailing List, Third Party Advisory ([email protected])
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-1833 Issue Tracking, Patch, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2022/02/15/2 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-1833 Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)