Session Fixation Vulnerability in Jenkins GitHub Authentication Plugin
CVE-2019-1003019

5.9MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Github Authentication Plugin
Vendor: CVE Published:; 6 February 2019

Summary

A session fixation vulnerability has been identified in the Jenkins GitHub Authentication Plugin, specifically affecting versions 0.29 and earlier. This issue allows an unauthorized attacker to exploit a pre-authentication session, enabling them to impersonate a legitimate user. The vulnerability arises from the insufficient validation of session data in GitHubSecurityRealm.java, which could lead to potential unauthorized access and manipulation of user sessions.

Affected Version(s)

Jenkins GitHub Authentication Plugin 0.29 and earlier

References

https://jenkins.io/security/advisory/2019-01-28/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Feb 6, 2019