The Jenkins Themis Plugin is a plugin for the popular continuous integration and continuous deployment (CI/CD) tool Jenkins. It allows users to securely authenticate with external systems using SAML (Security Assertion Markup Language). However, this vulnerability allows attackers to trick users into connecting to an attacker-specified HTTP server, potentially leading to unauthorized access to sensitive data.
You're affected if you use the Jenkins Themis Plugin version 1.4.1 or earlier. To check if your plugin is affected, run the following command: jelly -version | grep "Themis" (Note: This command may not work for all users, and it's recommended to consult with a Jenkins administrator or IT department for accurate verification).
This is the Jenkins Themis Plugin, NOT the SAML Plugin. If you don't recognize this name, you're probably not affected.
To fix this vulnerability, upgrade your Jenkins Themis Plugin to version 1.4.2 or later. You can download the latest version from the Jenkins website: https://www.jenkins.io/download/
Immediate mitigations: