Search
Search Results (14 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47884 | 1 Jenkins | 1 Openid Connect Provider | 2025-06-12 | 9.1 Critical |
| In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services. | ||||
| CVE-2023-50771 | 1 Jenkins | 1 Openid Connect Authentication | 2025-05-28 | 6.1 Medium |
| Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks. | ||||
| CVE-2025-24399 | 1 Jenkins | 1 Openid Connect Authentication | 2025-05-07 | 8.8 High |
| Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. | ||||
| CVE-2024-52553 | 1 Jenkins | 2 Openid, Openid Connect Authentication | 2025-05-07 | 8.8 High |
| Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. | ||||
| CVE-2024-47806 | 2 Jenkins, Jenkins Project | 2 Openid Connect Authentication, Jenkins Openid Connect Authentication Plugin | 2025-05-06 | 8.1 High |
| Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. | ||||
| CVE-2024-47807 | 2 Jenkins, Jenkins Project | 2 Openid Connect Authentication, Jenkins Openid Connect Authentication Plugin | 2025-05-06 | 8.1 High |
| Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `iss` (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. | ||||
| CVE-2023-24424 | 1 Jenkins | 1 Openid Connect Authentication | 2025-04-02 | 8.8 High |
| Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | ||||
| CVE-2023-24446 | 1 Jenkins | 1 Openid | 2025-04-02 | 8.8 High |
| A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account. | ||||
| CVE-2023-24445 | 1 Jenkins | 1 Openid | 2025-04-02 | 6.1 Medium |
| Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. | ||||
| CVE-2023-24444 | 1 Jenkins | 1 Openid | 2025-04-02 | 9.8 Critical |
| Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login. | ||||
| CVE-2023-50770 | 1 Jenkins | 1 Openid | 2025-02-13 | 6.7 Medium |
| Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins. | ||||
| CVE-2019-1003099 | 1 Jenkins | 1 Openid | 2024-11-21 | 6.5 Medium |
| A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | ||||
| CVE-2019-1003098 | 1 Jenkins | 1 Openid | 2024-11-21 | N/A |
| A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. | ||||
| CVE-2019-1003021 | 1 Jenkins | 1 Openid Connect Authentication | 2024-11-21 | N/A |
| An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret. | ||||
Page 1 of 1.