Hi On Tue, Feb 27, 2024 at 7:49 AM 'Kevin Guerroudj' via Jenkins Developers <[email protected]> wrote: > > Hi Michael, > > Indeed it seems you're right, OpenID 2.0 doesn't use a state parameter. > However, you should still possible to implements a protection against this > CSRF attack using the openid.return_to parameter. > An optional parameter where the OpenID Provider should redirect the > user-agent after authentication which can include additional context about > the request by attaching query parameters > (https://openid.net/specs/openid-authentication-2_0.html#positive_assertions). >
return_to is mandatory to send to openid protocol and I think that verification is already in process for the redirect url Michael > On Friday, February 23, 2024 at 3:56:48 PM UTC+1 Michael Nazzareno Trimarchi > wrote: >> >> Hi all >> >> I have question about vulnerability in particular the >> CSRF vulnerability in OpenID Plugin >> >> The openid does not use state in protocolo so there is no concept of >> it but a concept nounce and reading the openid 2.0 that is not >> supposed to be. Can I know more information about it? >> >> Michael >> >> On Mon, Feb 19, 2024 at 2:19 PM Michael Nazzareno Trimarchi >> <[email protected]> wrote: >> > >> > Hi Daniel, all >> > >> > On Mon, Feb 19, 2024 at 2:12 PM 'Daniel Beck' via Jenkins Developers >> > <[email protected]> wrote: >> > > >> > > >> > > On Sun, Feb 18, 2024 at 5:56 PM Adrien Lecharpentier >> > > <[email protected]> wrote: >> > >> >> > >> Please note that the plugin has multiple public security issues. I'm >> > >> sure the security team will require you to resolve them before any >> > >> release can be deployed. >> > > >> > > >> > > While we definitely prefer that (new) maintainers address unresolved >> > > vulnerabilities as early as possible, we do not generally require that >> > > for new releases, with two exceptions: >> > > >> > > * Plugins blocked from releasing because we identified a vulnerability >> > > introduced since the latest release. Look for "releaseblock" in RPU for >> > > examples. >> > > * Unsuspending plugins. In terms of security, we consider that to be >> > > similar to new plugin hosting, so to restore publication, we ask that >> > > security issues (publicly known or not) be addressed first. >> > > >> > > For anything else, the security warnings shown in Jenkins and on the >> > > plugins site will remain active even for new releases. >> > > >> > > Some (few) plugins are actively maintained while not addressing >> > > previously announced security vulnerabilities. Administrators can make >> > > an informed decision on whether they want to install (or keep installed) >> > > such plugins. >> > > >> > > -- >> > > You received this message because you are subscribed to the Google >> > > Groups "Jenkins Developers" group. >> > > To unsubscribe from this group and stop receiving emails from it, send >> > > an email to [email protected]. >> > > To view this discussion on the web visit >> > > https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtLDhhbUEHA-YvAARisdpvdAq59CC4Wkn8ET771bvoFSXw%40mail.gmail.com. >> > >> > Working to address vulnerabilities. >> > >> > Michael >> > >> > >> > -- >> > Michael Nazzareno Trimarchi >> > Co-Founder & Chief Executive Officer >> > M. +39 347 913 2170 >> > [email protected] >> > __________________________________ >> > >> > Amarula Solutions BV >> > Joop Geesinkweg 125, 1114 AB, Amsterdam, NL >> > T. +31 (0)85 111 9172 >> > [email protected] >> > www.amarulasolutions.com >> >> >> >> -- >> Michael Nazzareno Trimarchi >> Co-Founder & Chief Executive Officer >> M. +39 347 913 2170 >> [email protected] >> __________________________________ >> >> Amarula Solutions BV >> Joop Geesinkweg 125, 1114 AB, Amsterdam, NL >> T. +31 (0)85 111 9172 >> [email protected] >> www.amarulasolutions.com > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/517f803a-036f-4593-b190-21b5f43f2a5en%40googlegroups.com. -- Michael Nazzareno Trimarchi Co-Founder & Chief Executive Officer M. +39 347 913 2170 [email protected] __________________________________ Amarula Solutions BV Joop Geesinkweg 125, 1114 AB, Amsterdam, NL T. +31 (0)85 111 9172 [email protected] www.amarulasolutions.com -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAOf5uwkLb0qbB8cLJCWgbig773CZCzvdWPvAY0ykeJs%3DKRXoEA%40mail.gmail.com.
