CloudBees Security Advisory 2011-10-28

Vulnerability in Jenkins OpenID plugin

This vulnerability allowed malicious users to assume the identity of arbitrary users without going through the proper OpenID authentication process, when configured with the SSO mode. This affects all the OpenID plugins up to and including 1.3.


CloudBees rates this vulnerability as critical , as it allows malicious users to impersonate the administrator of the system, gaining the full access to the system.


This issue has been fixed in the OpenID plugin 1.4. We recommend that you update your plugin to this version or later. If you don't see the update in your update center, you can download it manually and upload it to your Jenkins via the "advanced" tab of the update center.