A server-side request forgery vulnerability exists in Jenkins CAS Plugin 1.4.1 and older in CasSecurityRealm.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.
5.4CVSS
5.3AI Score
0.001EPSS
Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
6.1CVSS
6.3AI Score
0.001EPSS
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.
8.8CVSS
8.6AI Score
0.002EPSS