Session Management Flaw in Jenkins Bitbucket OAuth Plugin by Jenkins
CVE-2023-24427

9.8CRITICAL

Key Information:

Vendor: Jenkins
Status: Jenkins Bitbucket Oauth Plugin
Vendor: CVE Published:; 26 January 2023

What is CVE-2023-24427?

The Jenkins Bitbucket OAuth Plugin versions up to and including 0.12 contain a session management flaw that does not invalidate the previous session upon user login. This vulnerability allows an attacker to potentially exploit the session of a logged-in user if they manage to obtain a valid session identifier. It underscores the importance of ensuring that prior sessions are properly terminated during the authentication process to safeguard user accounts.

Affected Version(s)

Jenkins Bitbucket OAuth Plugin <= 0.12

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECU...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 26, 2023
Vulnerability Reserved
Jan 23, 2023