Jenkins · Jenkins Google Login Plugin · CVE-2018-1000173
**Name of the Vulnerable Software and Affected Versions**
Jenkins Google Login Plugin versions 1.3 and older
**Description**
A session fixaction vulnerability exists in the GoogleOAuth2SecurityRealm.java file, allowing unauthorized attackers to impersonate another user if they can control the pre-authentication session. This issue can be exploited by attackers who can manipulate the session before authentication.
**Recommendations**
For Jenkins Google Login Plugin versions 1.3 and older, update to version 1.3.1 or newer, which invalidates the previous session during login and creates a new one, thus addressing the issue.