Miggo Logo

CVE-2018-1000409: Session Fixation in Jenkins

5.4

CVSS Score
3.0

Basic Information

EPSS Score
0.22924%
Published
5/14/2022
Updated
12/15/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven<= 2.138.12.138.2
org.jenkins-ci.main:jenkins-coremaven>= 2.140, <= 2.1452.146

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows security fixes were applied to the loginAndTakeBack method in HudsonPrivateSecurityRealm.java, specifically adding session invalidation logic. The vulnerability description explicitly states Jenkins didn't invalidate sessions during signup, which maps directly to this authentication flow method. The added test case HudsonPrivateSecurityRealm2SEC1158Test validates session ID changes after signup, confirming the function's role in session management.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*ssion *ix*tion vuln*r**ility *xists in J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r in *or*/sr*/m*in/j*v*/*u*son/s**urity/*u*sonPriv*t*S**urityR**lm.j*v* t**t pr*v*nt** J*nkins *rom inv*li**tin* t** *xistin* s*ssion *n* *r**tin* * n*w on* w

Reasoning

T** *ommit *i** s*ows s**urity *ix*s w*r* *ppli** to t** `lo*in*n*T*k****k` m*t*o* in `*u*sonPriv*t*S**urityR**lm.j*v*`, sp**i*i**lly ***in* s*ssion inv*li**tion lo*i*. T** vuln*r**ility **s*ription *xpli*itly st*t*s `J*nkins` *i*n't inv*li**t* s*ssi