RELEASED: Public: 2020-05-26
Open Redirect vulnerability on the Single Sign-On (SSO) process (CTR-1483)
As part of the SSO process, the CloudBees Jenkins Operations Center (CJOC) redirects the user to the controller URL to finish the SSO process. The controller was vulnerable to Host Header injection, leading to an Open Redirect vulnerability which may allow an attacker to steal a victim’s SSO session.
This issue is due to an incomplete fix of CTR-1098, announced in the 2020-03-09 Security Advisory and wrongly called "CSRF in Authentication Mechanism in SSO". The vulnerability was not CSRF, but an Open Redirect vulnerability.
Controllers now only support SSO requests from Hosts (or X-Forwarded-Host) matching the configured Jenkins Root URL. Any attempt to use a different URL will redirect to the configured Jenkins Root URL.
This can be disabled in the Operations Center by setting the property
com.cloudbees.opscenter.server.sso.SSOConfiguration.masterRootURLStrictCheckingDisabled=true, but will make the product insecure, so it should only be used as a temporary workaround. See Disabling the verification of the Jenkins Root URL for more information.