Lucene search
K
JenkinsRecent

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•4 views

Tokens stored in plain text by ibm-cloud-devops

ibm-cloud-devops 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of...

6.5CVSS6.4AI score0.00208EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•6 views

API key stored in plain text by kryptowire

kryptowire 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file org.aerogear.kryptowire.GlobalConfigurationImpl.xml on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. ...

6.5CVSS6.4AI score0.00259EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•5 views

Token stored and displayed in plain text by xooa

xooa 0.0.7 and earlier stores the Xooa Deployment token unencrypted in its global configuration file io.jenkins.plugins.xooa.GlobConfig.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file system. Additionally, th...

6.5CVSS5.9AI score0.00252EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•5 views

Token stored in plain text by user1st-utester

user1st-utester 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file io.jenkins.plugins.user1st.utester.UTesterPlugin.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file syste...

6.5CVSS6.4AI score0.00196EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•5 views

File path information disclosure in htmlpublisher

htmlpublisher 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. htmlpublisher 427 displays only the parent directory name of files...

6.3CVSS6.4AI score0.00413EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/06/06 12:0 a.m.•5 views

XSS vulnerability in gatling

gatling 136.vb9009b3d33ae serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting XSS vulnerability exploitable by users able to change report content. As of publication of this advisor...

8CVSS4.9AI score0.00444EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/05/14 12:0 a.m.•5 views

Stored XSS vulnerability in cloudbees-jenkins-advisor

cloudbees-jenkins-advisor 374.v194bd4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses. cloudbees-jenkins-advisor...

8.8CVSS4.9AI score0.00495EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/05/14 12:0 a.m.•5 views

Insufficient validation of claims in oidc-provider

In oidc-provider, claim templates can use environment variables for jobs and builds for dynamic content. The default claim template for build ID tokens uses the JOBURL environment variable for the sub Subject claim. In oidc-provider 96.vee8ed882ec4d and earlier the generation of build ID Tokens...

9.1CVSS8.7AI score0.00609EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/05/14 12:0 a.m.•5 views

CSRF vulnerability and missing permission checks in vmanager-plugin

vmanager-plugin 4.0.1-286.v9e25a740ba48 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, these form...

4.3CVSS5.1AI score0.00292EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/05/14 12:0 a.m.•5 views

SSL/TLS certificate validation unconditionally disabled by dingding-notifications

dingding-notifications 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. As of publication of this advisory, there is no fix. Learn why we announce this...

5.9CVSS5.2AI score0.00199EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/05/14 12:0 a.m.•5 views

Authentication bypass vulnerability in WSO2 Oauth

In WSO2 Oauth 1.0 and earlier authentication claims are accepted without validation by the "WSO2 Oauth" security realm. This allows unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist. Sessions...

9.8CVSS8.7AI score0.00616EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/04/10 12:0 a.m.•5 views

Host key reuse in SSH build agent Docker images

The https://hub.docker.com/r/jenkins/ssh-agentjenkins/ssh-agent and deprecated https://hub.docker.com/r/jenkins/ssh-slavejenkins/ssh-slave Docker images can be used to set up a build agent for use via the SSH Build Agents plugin. In jenkins/ssh-agent 6.11.1 and earlier and all versions of...

9.1CVSS8.2AI score0.00449EPSS
Exploits0
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/04/02 12:0 a.m.•5 views

API keys stored and displayed in plain text by asakusa-satellite-plugin

asakusa-satellite-plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

5.5CVSS5.6AI score0.00276EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/04/02 12:0 a.m.•5 views

Passwords stored in plain text by monitor-remote-job

monitor-remote-job 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there ...

5.5CVSS5.6AI score0.00276EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/04/02 12:0 a.m.•6 views

API keys stored in plain text by stackhammer

stackhammer 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of thi...

5.5CVSS5.6AI score0.00276EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/04/02 12:0 a.m.•4 views

Missing permission check allows retrieving agent configurations

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Agent/Create permission but without Agent/Extended Read permission to copy an agent, gaining access to its configuration. Jenkins 2.504, LTS 2.492.3 requires...

4.3CVSS5.9AI score0.0039EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/04/02 12:0 a.m.•6 views

API keys stored in plain text by vmanager-plugin

vmanager-plugin 4.0.0-282.v5096ac2db275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file syste...

4.3CVSS5.1AI score0.00302EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/04/02 12:0 a.m.•7 views

Missing permission check allows retrieving secrets from agent configurations

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Agent/Create permission but without Agent/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. NOTE: This is due to an...

4.3CVSS6.2AI score0.00375EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/04/02 12:0 a.m.•5 views

Script Security sandbox bypass vulnerability through folder-scoped libraries in templating-engine

templating-engine allows defining libraries both in the global configuration, as well as scoped to folders containing the pipelines using them. While libraries in the global configuration can only be set up by administrators and can therefore be trusted, libraries defined in folders can be...

8.8CVSS8.4AI score0.01171EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/04/02 12:0 a.m.•4 views

CSRF vulnerability in simple-queue

simple-queue 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. simple-queue 1.4.7 requires POST requests for the affected HTTP...

4.3CVSS5.2AI score0.00249EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/03/19 12:0 a.m.•6 views

EdDSA implementation in eddsa-api exhibits signature malleability

eddsa-api makes the EdDSA-Java library ed25519-java available to other plugins. eddsa-api 0.3.0-13.v7cb69ed68f00 and earlier bundles version 0.3.0 of EdDSA-Java, which exhibits signature malleability and does not satisfy the SUF-CMA Strong Existential Unforgeability under Chosen Message Attacks...

4.3CVSS6AI score0.00133EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/03/19 12:0 a.m.•5 views

Stored XSS vulnerability in AnchorChain

AnchorChain 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. As of...

8CVSS4.9AI score0.00274EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/03/19 12:0 a.m.•6 views

API key displayed without masking by zohoqengine

zohoqengine stores the QEngine API Key in job config.xml files on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in zohoqengine 1.0.29.vfacc23396502 and earlier the job configuration form does not mask the QEngine API Key form field, increasing th...

3.1CVSS5.2AI score0.00261EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/03/05 12:0 a.m.•8 views

Encrypted values of secrets stored in view configuration revealed to users with View/Read permission

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI. This allows attackers with View/Read permission to view encrypted values of secrets. NOTE: This issue is related to SECURITY-266 in the 2016-05-11...

4.3CVSS6AI score0.00298EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/03/05 12:0 a.m.•13 views

CSRF vulnerability

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets e.g., Build Queue and Build Executor Status widgets, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability...

5.4CVSS5.5AI score0.0041EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/03/05 12:0 a.m.•7 views

Open redirect vulnerability

Various features in Jenkins redirect users to partially user-controlled URLs inside Jenkins. To prevent open redirect vulnerabilities, Jenkins limits redirections to safe URLs neither absolute nor scheme-relative/network-path reference. In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier,...

4.3CVSS5AI score0.00581EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/03/05 12:0 a.m.•5 views

Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI. This allows attackers with Agent/Extended Read permission to view encrypted values of secrets. NOTE: This issue is related to SECURITY-266 in the...

4.3CVSS6AI score0.00684EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/01/22 12:0 a.m.•5 views

atlassian-bitbucket-server-integration allows bypassing CSRF protection for any URL

An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. atlassian-bitbucket-server-integration implements this extension point to support OAuth 1.0 authentication. In atlassian-bitbucket-server-integration 2.1.0 through 4.1.3 both...

8.8CVSS7.8AI score0.00285EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/01/22 12:0 a.m.•5 views

Improper handling of case sensitivity in oic-auth

oic-auth 4.452.v2849bd3945fa and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive. On a Jenkins instance configured with a case-sensitive OpenID Connect provider, this allows attackers to log in as any user by providing a username that differs only in letter case,...

8.8CVSS5.2AI score0.0053EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/01/22 12:0 a.m.•5 views

Incorrect permission check in gitlab-plugin allows enumerating credentials IDs

gitlab-plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credential IDs of GitLab API token credentials and Secret text...

4.3CVSS5.1AI score0.00288EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/01/22 12:0 a.m.•8 views

Tokens displayed without masking by zoom

zoom requires Zoom integration tokens for Zoom Build Notifier post-build actions. In zoom 1.5 and earlier the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them. zoom 1.6 masks Zoom integration tokens displayed on the job...

3.1CVSS5.2AI score0.00167EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/01/22 12:0 a.m.•5 views

Cache confusion in eiffel-broadcaster

eiffel-broadcaster allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential. eiffel-broadcaster 2.8.0 through 2.10.2 both inclusive uses the credential ID as the cache key. This allows attackers able to...

4.3CVSS5.2AI score0.00292EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/01/22 12:0 a.m.•9 views

Disabled permissions can be granted by folder-auth

folder-auth 217.vd5b18537403e and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted typically optional permissions, like Overall/Manage to access functionality they're no longer entitled to. As of publication of this advisory, the...

6.8CVSS5.1AI score0.00302EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/01/22 12:0 a.m.•5 views

Tokens stored in plain text by zoom

zoom 1.3 and earlier stores Zoom integration tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. zoom 1.4 stores Zoom integration...

4.3CVSS5.3AI score0.00264EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/01/22 12:0 a.m.•13 views

CSRF vulnerability and missing permission checks in service-fabric

service-fabric 1.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

4.3CVSS5.1AI score0.00288EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/27 12:0 a.m.•5 views

Stored XSS vulnerability in simple-queue

simple-queue 1.4.4 and earlier does not escape the view name. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Create permission. simple-queue 1.4.5 escapes the view name...

8CVSS4.9AI score0.77461EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/27 12:0 a.m.•5 views

Denial of service vulnerability in bundled json-lib

Jenkins uses the library https://github.com/jenkinsci/json-liborg.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project's fork of https://search.maven.org/artifact/net.sf.json-lib/json-libnet.sf.json-lib:json-lib, which has since been renamed to...

7.5CVSS5.2AI score0.15413EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/27 12:0 a.m.•15 views

Path traversal vulnerability in filesystem-list-parameter-plugin

filesystem-list-parameter-plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter. This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. filesystem-list-parameter-plugin 0.0.15 ensures that...

4.3CVSS5.3AI score0.00812EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•6 views

Missing permission check in script-security

script-security 1367.vdf2fc45f229c and earlier, except 1365.1367.va3bb89f8a95b and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of files on the controller file...

4.3CVSS5AI score0.0036EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•4 views

Rebuilding a run with revoked script approval allowed by workflow-cps

workflow-cps 3990.vd281dd77a388 and earlier, except 3975.3977.v478dd9e956c3, does not check whether the main Jenkinsfile script for a rebuilt build is approved. This allows attackers with Item/Build permission to rebuild a previous build whose Jenkinsfile script is no longer approved. NOTE: This...

8CVSS7.6AI score0.0044EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•5 views

Restarting a run with revoked script approval allowed by pipeline-model-definition

pipeline-model-definition 2.2214.vbb34b2ea9b83 and earlier does not check whether the main Jenkinsfile script used to restart a build from a specific stage is approved. This allows attackers with Item/Build permission to restart a previous build whose Jenkinsfile script is no longer approved. NOT...

8CVSS7.6AI score0.00567EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•4 views

Session fixation vulnerability in oic-auth

oic-auth 4.418.vccc7061f5b6d and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. oic-auth 4.421.v5422614ebe0a invalidates the existing session on login...

8.8CVSS5.2AI score0.00613EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•9 views

XXE vulnerability in ivytrigger

ivytrigger 1.01 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input files for the "IvyTrigger - Poll with an Ivy script" build trigger to have Jenkins parse a crafted XML document that uses external entities for extraction of...

8.2CVSS7.5AI score0.01855EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•9 views

Script security sandbox bypass vulnerability in shared-library-version-override

shared-library-version-override 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox. This allows attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs...

8.8CVSS5.2AI score0.00518EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/11/13 12:0 a.m.•10 views

Stored XSS vulnerability in authorize-project

authorize-project 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. authorize-project 1.8.0 no longer evaluates a string...

8CVSS4.9AI score0.00668EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/10/02 12:0 a.m.•10 views

Exposure of multi-line secrets through error messages in Jenkins

Jenkins provides the secretTextarea form field for multi-line secrets. Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field. This can result in exposure of multi-line...

4.3CVSS5.9AI score0.0084EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/10/02 12:0 a.m.•4 views

Item creation restriction bypass vulnerability in Jenkins

Jenkins provides APIs for fine-grained control of item creation: Authorization strategies can prohibit the creation of items of a given type in a given item group ACLhasCreatePermission2. Item types can prohibit creation of new instances in a given item group...

4.3CVSS6AI score0.00684EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/10/02 12:0 a.m.•18 views

Encrypted values of credentials revealed to users with Extended Read permission in credentials

credentials 1380.va435002fa924 and earlier, except 1371.1373.v4ebfab7161e9, does not redact encrypted values of credentials using the SecretBytes type e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin when accessing item config.xml via REST API or CLI. This...

7.5CVSS5.2AI score0.00583EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/10/02 12:0 a.m.•5 views

Lack of audience claim validation in oic-auth

oic-auth 4.354.v321ce67a1de8 and earlier does not check the aud Audience claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client. This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator...

8.1CVSS5.3AI score0.00636EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2024/10/02 12:0 a.m.•4 views

Lack of issuer claim validation in oic-auth

oic-auth 4.354.v321ce67a1de8 and earlier does not check the iss Issuer claim of an ID Token during its authentication flow, a value that identifies the Originating Party IdP. This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to...

8.1CVSS7.7AI score0.00636EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464