Hi Michael, Indeed it seems you're right, OpenID 2.0 doesn't use a state parameter. However, you should still possible to implements a protection against this CSRF attack using the openid.return_to <https://openid.net/specs/openid-authentication-2_0.html#anchor27> parameter. An optional parameter where the OpenID Provider should redirect the user-agent after authentication which can include additional context about the request by attaching query parameters (https://openid.net/specs/openid-authentication-2_0.html#positive_assertions).
On Friday, February 23, 2024 at 3:56:48 PM UTC+1 Michael Nazzareno Trimarchi wrote: > Hi all > > I have question about vulnerability in particular the > CSRF vulnerability in OpenID Plugin > > The openid does not use state in protocolo so there is no concept of > it but a concept nounce and reading the openid 2.0 that is not > supposed to be. Can I know more information about it? > > Michael > > On Mon, Feb 19, 2024 at 2:19 PM Michael Nazzareno Trimarchi > <[email protected]> wrote: > > > > Hi Daniel, all > > > > On Mon, Feb 19, 2024 at 2:12 PM 'Daniel Beck' via Jenkins Developers > > <[email protected]> wrote: > > > > > > > > > On Sun, Feb 18, 2024 at 5:56 PM Adrien Lecharpentier < > [email protected]> wrote: > > >> > > >> Please note that the plugin has multiple public security issues. I'm > sure the security team will require you to resolve them before any release > can be deployed. > > > > > > > > > While we definitely prefer that (new) maintainers address unresolved > vulnerabilities as early as possible, we do not generally require that for > new releases, with two exceptions: > > > > > > * Plugins blocked from releasing because we identified a vulnerability > introduced since the latest release. Look for "releaseblock" in RPU for > examples. > > > * Unsuspending plugins. In terms of security, we consider that to be > similar to new plugin hosting, so to restore publication, we ask that > security issues (publicly known or not) be addressed first. > > > > > > For anything else, the security warnings shown in Jenkins and on the > plugins site will remain active even for new releases. > > > > > > Some (few) plugins are actively maintained while not addressing > previously announced security vulnerabilities. Administrators can make an > informed decision on whether they want to install (or keep installed) such > plugins. > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Jenkins Developers" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLDhhbUEHA-YvAARisdpvdAq59CC4Wkn8ET771bvoFSXw%40mail.gmail.com > . > > > > Working to address vulnerabilities. > > > > Michael > > > > > > -- > > Michael Nazzareno Trimarchi > > Co-Founder & Chief Executive Officer > > M. +39 347 913 2170 <+39%20347%20913%202170> > > [email protected] > > __________________________________ > > > > Amarula Solutions BV > > Joop Geesinkweg 125, 1114 AB, Amsterdam, NL > > T. +31 (0)85 111 9172 <+31%2085%20111%209172> > > [email protected] > > www.amarulasolutions.com > > > > -- > Michael Nazzareno Trimarchi > Co-Founder & Chief Executive Officer > M. +39 347 913 2170 <+39%20347%20913%202170> > [email protected] > __________________________________ > > Amarula Solutions BV > Joop Geesinkweg 125, 1114 AB, Amsterdam, NL > T. +31 (0)85 111 9172 <+31%2085%20111%209172> > [email protected] > www.amarulasolutions.com > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/517f803a-036f-4593-b190-21b5f43f2a5en%40googlegroups.com.
