CVE-2018-1000173
Description
Session fixation vulnerability in Jenkins Google Login Plugin allows attackers to impersonate users by controlling pre-authentication session.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Session fixation vulnerability in Jenkins Google Login Plugin allows attackers to impersonate users by controlling pre-authentication session.
Vulnerability
A session fixation vulnerability exists in the Jenkins Google Login Plugin, versions 1.3 and older, specifically in the GoogleOAuth2SecurityRealm.java file. The plugin did not invalidate the previous session and create a new one upon successful login, allowing an attacker to reuse a known session ID.[1][2]
Exploitation
An attacker who can control or obtain another user's pre-login session ID can exploit this vulnerability. If the victim then authenticates via Google OAuth, the attacker can use the original session ID to impersonate the victim, gaining access to Jenkins without knowing their credentials.[2]
Impact
Successful exploitation allows an attacker to impersonate any user whose pre-authentication session ID they can control or obtain. This leads to unauthorized access to Jenkins resources and actions that the impersonated user is permitted to perform.[1][2]
Mitigation
The issue is fixed in Google Login Plugin version 1.4 and later. Users should upgrade to the latest version. No workaround is available for unpatched versions. The fix ensures that a new session is created upon successful login, invalidating any previous session.[2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-loginMaven | < 1.3.1 | 1.3.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-rp82-xvg3-727cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000173ghsaADVISORY
- www.securityfocus.com/bid/104210ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2018-04-16ghsaWEB
- jenkins.io/security/advisory/2018-04-16/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.