CVE-2018-1000174 — Jenkins Google Login Plugin Open Redirect vulnerability

Description

An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful login. Google Login Plugin 1.3.1 only performs redirects to relative URLs.

How to fix CVE-2018-1000174

To remediate CVE-2018-1000174, upgrade the affected package to a fixed version below.

—upgrade to 1.3.1 or later

Is CVE-2018-1000174 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000174
PATCHgithub.com/jenkinsci/google-login-plugin
WEBjenkins.io/security/advisory/2018-04-16
WEBwww.securityfocus.com/bid/104211