Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.
Max CVSS
8.8
EPSS Score
0.09%
Published
2023-05-16
Updated
2023-05-30
Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
Max CVSS
6.1
EPSS Score
0.08%
Published
2021-06-30
Updated
2023-10-25
A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
Max CVSS
5.5
EPSS Score
0.05%
Published
2018-06-05
Updated
2018-07-18
3 vulnerabilities found