CVE-2023-24426

Vulnerability

Details

The Jenkins Azure AD Plugin, versions 303.va_91ef20ee49f and earlier, does not invalidate the previous session upon a new login [1][3]. This means that after a user authenticates, any existing session tokens associated with that user remain valid, allowing an attacker to reuse a previously obtained session token.

Exploitation

An attacker can exploit this by obtaining a valid session token—for example, through social engineering, network interception, or by setting a session ID before the victim logs in (session fixation). No additional authentication is required once the token is acquired. The attacker only needs to present the token to the Jenkins server after the victim has logged in, thereby gaining access to the authenticated session.

Impact

Successful exploitation allows the attacker to impersonate the victim and perform any actions the victim is authorized to do within Jenkins. Depending on the victim's permissions, this could include viewing sensitive data, modifying jobs, or executing arbitrary code on the Jenkins controller, leading to a full compromise of the CI/CD environment.

Mitigation

The Jenkins Security Advisory 2023-01-24 recommends updating the Azure AD Plugin to version 304.va_... or later, which properly invalidates previous sessions on login [1]. Users should also review their session management practices and consider additional security measures such as HTTPS and secure token handling.