Jenkins Security Advisory 2015-10-12

This advisory announces a vulnerability in the Google Login Plugin.

Jenkins issue: SECURITY-208

CVE ID: CVE-2015-5298

Description

The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification.

Severity

CVE-2015-5298 is rated medium. While the attacker will be able to successfully authenticate to any network-reachable Jenkins instance using the Google Login plugin, it will depend on the configuration of permissions, specifically the authenticated group, what the impact on the system is.

Fix

Update the Google Login Plugin to version 1.2 or higher. If it’s not available in plugin manager, update it by pressing Check Now. Alternatively, download the plugin HPI file from the update site or the repository and install it by uploading in Manage Jenkins » Manage Plugins » Advanced.

Credit

The Jenkins project would like to thank Wes Wineberg for reporting this security issue.