Jenkins WSO2 Oauth Plugin 1.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

As of publication of this advisory, there is no fix.

Affected Packages

Maven org.jenkins-ci.plugins:wso2id-oauth

Affected versions: 0 (last affected: 1.0)

Related CVEs

CVE-2023-33006

Key Information

GHSA ID

GHSA-7xgj-j9hp-c692

Published

May 16, 2023 6:30 PM

Last Modified

May 30, 2023 3:40 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:wso2id-oauth

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.