VDB
KO
MEDIUM 4.3

GHSA-r8fj-rff6-f7h5

Jenkins Bitbucket OAuth Plugin does not restrict the redirect URL after login

Details

Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

Bitbucket OAuth Plugin 0.18 only redirects to relative (Jenkins) URLs.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.jenkins-ci.plugins:bitbucket-oauth
Introduced in: 0 Fixed in: 0.18
Fix # pom.xml: bump <version>0.18</version> for org.jenkins-ci.plugins:bitbucket-oauth

References