CVE-2023-50771: 
Java vulnerability analysis and mitigation

CVE-2023-50771 affects the Jenkins OpenId Connect Authentication Plugin versions 2.6 and earlier. The vulnerability was discovered and disclosed on December 13, 2023, by Kevin Guerroudj of CloudBees, Inc. The issue is identified as SECURITY-2979 in Jenkins security tracking system and has been assigned a CVSS v3.1 base score of 6.1 (Medium) (Jenkins Advisory, NVD).

The vulnerability stems from improper validation of redirect URLs after login authentication. The plugin fails to correctly determine whether a redirect URL is legitimately pointing to Jenkins, creating a security weakness in the authentication flow. The vulnerability is classified as CWE-601: URL Redirection to Untrusted Site ('Open Redirect'). The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability enables attackers to perform phishing attacks by manipulating users to visit a Jenkins URL that subsequently forwards them to a malicious site after successful authentication. This creates a significant risk for credential theft and social engineering attacks against Jenkins users (Jenkins Advisory).

As of the advisory publication date, no official fix is available for this vulnerability. The issue affects all versions of the OpenId Connect Authentication Plugin up to and including version 2.6 (Jenkins Advisory).