The Google Login plugin up to and including version 1.1 did not correctly ensure that the user logging in is in the correct domain when using the option Google Apps Domain, allowing malicious users to log in to Jenkins instances using any Google account.


Google login plugin version 1.1-


The severity is rated medium. While the attacker will be able to successfully authenticate to any network-reachable Jenkins instance using the Google Login plugin, it will depend on the configuration of permissions, specifically the authenticated group, what the impact on confidentiality and integrity is.


Update the Google Login Plugin to version 1.2 or higher. If it's not available in plugin manager, update it by pressingCheck Now. Alternatively, download the plugin file from the updates site and install in Manage Jenkins » Manage Plugins » Advanced.



The Jenkins project would like to thank Wes Wineberg for reporting this security issue.

Have more questions?


Please sign in to leave a comment.