Miggo Logo
Miggo Vulnerability Database
CVE-2023-24456

CVE-2023-24456: Session fixation vulnerability in Jenkins Keycloak Authentication Plugin

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-24456
GHSA ID
GHSA-9963-gmh8-vvm6
EPSS Score
0.48224%
CWE
CWE-384
Published
1/26/2023
Updated
1/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:keycloakmaven<= 2.3.02.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing session invalidation during authentication. The GitHub commit 11ae476 shows the fix adds session ID rotation (request.changeSessionId()) in doFinishLogin method. This indicates the original implementation lacked session fixation protection by not resetting the session after authentication. The method handles OAuth login completion and session creation, making it the logical point where session management should occur.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins K*y*lo*k *ut**nti**tion Plu*in *.*.* *n* **rli*r *o*s not inv*li**t* t** pr*vious s*ssion on lo*in.

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion inv*li**tion *urin* *ut**nti**tion. T** *it*u* *ommit ******* s*ows t** *ix ***s s*ssion I* rot*tion (`r*qu*st.***n**S*ssionI*()`) in `*o*inis*Lo*in` m*t*o*. T*is in*i**t*s t** ori*in*l impl*m*nt*tion l**k
CVE-2023-24456: Jenkins Keycloak Auth Bypass | Miggo