MEDIUM 4.3
GHSA-r8fj-rff6-f7h5
Jenkins Bitbucket OAuth Plugin does not restrict the redirect URL after login
Details
Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.
Bitbucket OAuth Plugin 0.18 only redirects to relative (Jenkins) URLs.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.jenkins-ci.plugins:bitbucket-oauth
Introduced in:
0 Fixed in: 0.18 Fix
# pom.xml: bump <version>0.18</version> for org.jenkins-ci.plugins:bitbucket-oauth