Miggo Logo
Miggo Vulnerability Database
CVE-2019-1003019

CVE-2019-1003019: GitHub Authentication Plugin session fixation vulnerability

5.9

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-1003019
GHSA ID
GHSA-mcqx-wc2j-qx9v
EPSS Score
0.07592%
CWE
CWE-384
Published
5/13/2022
Updated
1/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:github-oauthmaven<= 0.290.31

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The session fixation vulnerability stemmed from inadequate session management during authentication. The commit diff shows critical security fixes in doFinishLogin: 1) Added session invalidation before creating new session 2) Moved referer attribute retrieval before session invalidation. The pre-patch code lacked these protections, allowing session IDs to persist through authentication. The test case added in GithubAccessTokenPropertyTest_SEC797.java specifically verifies session ID changes during login, confirming the vulnerable flow was in the authentication completion handler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n s*ssion *ix*tion vuln*r**ility *xists in J*nkins *it*u* *ut**nti**tion Plu*in *.** *n* **rli*r in *it*u*S**urityR**lm.j*v* t**t *llows un*ut*oriz** *tt**k*rs to imp*rson*t* *not**r us*r i* t**y **n *ontrol t** pr*-*ut**nti**tion s*ssion.

Reasoning

T** s*ssion *ix*tion vuln*r**ility st*mm** *rom in***qu*t* s*ssion m*n***m*nt *urin* *ut**nti**tion. T** *ommit *i** s*ows *riti**l s**urity *ix*s in `*o*inis*Lo*in`: *) ***** s*ssion inv*li**tion ***or* *r**tin* n*w s*ssion *) Mov** r***r*r *ttri*ut