Miggo Logo
Miggo Vulnerability Database
CVE-2024-52553

CVE-2024-52553: Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-52553
GHSA ID
GHSA-h23j-73ww-7594
EPSS Score
0.42578%
CWE
CWE-384
Published
11/13/2024
Updated
11/14/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:oic-authmaven< 4.421.v5422614eb4.421.v5422614eb

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing session invalidation during login. In Jenkins authentication flows, the login completion handler (typically doFinishLogin in SecurityRealm implementations) is responsible for session management. The advisory specifically mentions session fixation through preserved sessions, indicating the login sequence doesn't properly cycle sessions. The OicSecurityRealm class would contain the authentication completion logic, and the absence of session.invalidate() calls before establishing new authentication credentials would leave previous sessions active. The high confidence comes from the direct match between the vulnerability description and standard session management practices in Jenkins plugins.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Op*nI* *onn**t *ut**nti**tion Plu*in *.***.v**********_** *n* **rli*r *o*s not inv*li**t* t** pr*vious s*ssion on lo*in. T*is *llows *tt**k*rs to us* so*i*l *n*in**rin* t***niqu*s to **in **ministr*tor ****ss to J*nkins. Op*nI* *onn**t *ut**n

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion inv*li**tion *urin* lo*in. In J*nkins *ut**nti**tion *lows, t** lo*in *ompl*tion **n*l*r (typi**lly `*o*inis*Lo*in` in `S**urityR**lm` impl*m*nt*tions) is r*sponsi*l* *or s*ssion m*n***m*nt. T** **visory s