{"id":"GHSA-pg59-2w33-8vmc","summary":"Jenkins Gitlab Authentication Plugin Open Redirect vulnerability","details":"GitLab Authentication Plugin records the HTTP `Referer` header when the authentication process starts and redirects users to that URL when the user has finished logging in.\n\nThis implements an open redirect, allowing malicious sites to implement a phishing attack, with users expecting they have just logged in to Jenkins.","aliases":["CVE-2019-10372"],"modified":"2024-02-16T08:19:54.695260Z","published":"2022-05-24T16:52:45Z","database_specific":{"github_reviewed_at":"2023-03-03T22:49:24Z","github_reviewed":true,"severity":"MODERATE","nvd_published_at":"2019-08-07T15:15:00Z","cwe_ids":["CWE-601"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10372"},{"type":"WEB","url":"https://github.com/jenkinsci/gitlab-oauth-plugin/commit/10059a4d4e121e0c3b13f6e6f74843565bb0b49a"},{"type":"WEB","url":"https://jenkins.io/security/advisory/2019-08-07/#SECURITY-796"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2019/08/07/1"}],"affected":[{"package":{"name":"org.jenkins-ci.plugins:gitlab-oauth","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.plugins/gitlab-oauth"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5"}]}],"versions":["1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1","1.2","1.3","1.4"],"database_specific":{"last_known_affected_version_range":"\u003c= 1.4","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pg59-2w33-8vmc/GHSA-pg59-2w33-8vmc.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}