PT-2024-35375 · Jenkins · Jenkins Openid Connect Authentication Plugin+1
Kevin Guerroudj
·
Published
2024-11-13
·
Updated
2024-11-15
·
CVE-2024-52553
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins OpenId Connect Authentication Plugin versions 4.418.vccc7061f5b 6d and earlier
Description
The issue arises because the plugin does not invalidate the previous session on login, allowing attackers to potentially use social engineering techniques to gain administrator access to Jenkins.
Recommendations
For Jenkins OpenId Connect Authentication Plugin versions 4.418.vccc7061f5b 6d and earlier, update to version 4.421.v5422614eb e0a or later to ensure the existing session is invalidated on login.
Fix
Insufficient Session Expiration
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Openid Connect Authentication Plugin