8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-52553

GHSA ID

GHSA-h23j-73ww-7594

EPSS Score

0.42578%

CWE

CWE-384

Published

11/13/2024

Updated

11/14/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-52553

CVE-2024-52553: Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin

Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_ invalidates the existing session on login.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-52553

CVE-2024-52553:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-52553

GHSA ID

GHSA-h23j-73ww-7594

EPSS Score

0.42578%

CWE

CWE-384

Published

11/13/2024

Updated

11/14/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:oic-auth	maven	< 4.421.v5422614eb	4.421.v5422614eb

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing session invalidation during login. In Jenkins authentication flows, the login completion handler (typically doFinishLogin in SecurityRealm implementations) is responsible for session management. The advisory specifically mentions session fixation through preserved sessions, indicating the login sequence doesn't properly cycle sessions. The OicSecurityRealm class would contain the authentication completion logic, and the absence of session.invalidate() calls before establishing new authentication credentials would leave previous sessions active. The high confidence comes from the direct match between the vulnerability description and standard session management practices in Jenkins plugins.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-52553: Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin

CVE-2024-52553:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2024-52553: Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin

8.8

8.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI