PT-2018-9343 · Jenkins · Jenkins Google Login Plugin+1

Emeric Vernat

Published

2018-05-08

Updated

2022-05-14

CVE-2018-1000173

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Google Login Plugin versions 1.3 and older

Description A session fixaction vulnerability exists in the GoogleOAuth2SecurityRealm.java file, allowing unauthorized attackers to impersonate another user if they can control the pre-authentication session. This issue can be exploited by attackers who can manipulate the session before authentication.

Recommendations For Jenkins Google Login Plugin versions 1.3 and older, update to version 1.3.1 or newer, which invalidates the previous session during login and creates a new one, thus addressing the issue.

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

CVE-2018-1000173

GHSA-RP82-XVG3-727C

Affected Products

Jenkins

Jenkins Google Login Plugin

PT-2018-9343 · Jenkins · Jenkins Google Login Plugin+1

CVE-2018-1000173

Weakness Enumeration

Related Identifiers

Affected Products

References · 6