CVE-2015-5298

Issue

The Google Login plugin up to and including version 1.1 did not correctly ensure that the user logging in is in the correct domain when using the option Google Apps Domain, allowing malicious users to log in to Jenkins instances using any Google account.

Environment

Google login plugin version 1.1-

Severity

The severity is rated medium. While the attacker will be able to successfully authenticate to any network-reachable Jenkins instance using the Google Login plugin, it will depend on the configuration of permissions, specifically the authenticated group, what the impact on confidentiality and integrity is.

Resolution

Update the Google Login Plugin to version 1.2 or higher. If it's not available in plugin manager, update it by pressingCheck Now. Alternatively, download the plugin file from the updates site and install in Manage Jenkins » Manage Plugins » Advanced.

 

Credit

The Jenkins project would like to thank Wes Wineberg for reporting this security issue.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.