Critical severityNVD Advisory· Published Jan 24, 2023· Updated Apr 2, 2025

CVE-2023-24427

Description

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Bitbucket OAuth Plugin 0.12 and earlier fails to invalidate the previous session on login, enabling session fixation attacks.

Vulnerability

Overview

The Jenkins Bitbucket OAuth Plugin versions 0.12 and earlier contains a session management flaw: it does not invalidate the previous session when a user logs in [1]. This is a classic session fixation weakness, where an attacker can potentially force a victim to use a known session identifier before authentication.

Exploitation

Details

An attacker who can trick a victim into authenticating via the plugin while holding a pre-established session (e.g., by luring the victim to a crafted link containing a specific session ID) could exploit this behavior. After the victim logs in, the session ID remains unchanged, effectively allowing the attacker to use the same session ID after authentication [1]. The fix explicitly invalidates the old session and creates a new one after successful authentication, as shown in the commit that addresses the issue [4].

Impact

If exploited, an attacker could gain access to the victim's authenticated Jenkins session, thereby obtaining the victim's privileges within Jenkins. This could lead to unauthorized configuration changes, access to secrets, or other actions depending on the victim's permissions.

Mitigation

Users should upgrade to version 0.13 or later of the Bitbucket OAuth Plugin. The pull request and associated commit demonstrate the code change that invalidates the previous session to prevent this session fixation vulnerability [4]. The Jenkins security advisory provides full details [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:bitbucket-oauthMaven	< 0.13	0.13

Affected products

Jenkins Project/Bitbucket Oauth Pluginllm-create2 versions
<=0.12+ 1 more
- (no CPE)range: <=0.12
- (no CPE)range: unspecified
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/bitbucket-oauth
Range: < 0.13

Patches

b73ac285f8cf

[SECURITY-2982] fix session fixation vulnerability

https://github.com/jenkinsci/bitbucket-oauth-pluginmallowlabsDec 25, 2022via ghsa

commit

1 file changed · +20 −2

src/main/java/org/jenkinsci/plugins/BitbucketSecurityRealm.java+20 −2 modified

@@ -4,6 +4,8 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.servlet.http.HttpSession;
+
 import org.acegisecurity.Authentication;
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.AuthenticationManager;
@@ -147,11 +149,20 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
             return HttpResponses.redirectToContextRoot();
         }
 
-        if (state == null || !StringUtils.equals(state, (String) request.getSession().getAttribute(STATE_ATTRIBUTE))) {
+        if (state == null || !StringUtils.equals(state, getSessionAttribute(request, STATE_ATTRIBUTE))) {
             LOGGER.log(Level.SEVERE, "doFinishLogin() invalid state parameter");
             return HttpResponses.redirectToContextRoot();
         }
 
+        String referer = getSessionAttribute(request, REFERER_ATTRIBUTE);
+
+        // avoid session fixation vulnerability
+        HttpSession session = request.getSession(false);
+        if (session != null) {
+            session.invalidate();
+        }
+        request.getSession(true);
+
         String rawClientSecret = getSecretClientSecret().getPlainText();
 
         Token accessToken = new BitbucketApiService(clientID, rawClientSecret).getTokenByAuthorizationCode(code, null);
@@ -175,7 +186,6 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
         }
 
         // redirect to referer
-        String referer = (String) request.getSession().getAttribute(REFERER_ATTRIBUTE);
         if (referer != null) {
             return HttpResponses.redirectTo(referer);
         } else {
@@ -237,6 +247,14 @@ public String getLoginUrl() {
         return "securityRealm/commenceLogin";
     }
 
+    private String getSessionAttribute(StaplerRequest request, String attributeName) {
+        HttpSession session = request.getSession(false);
+        if (session == null) {
+            return null;
+        }
+        return (String) session.getAttribute(attributeName);
+    }
+
     public static final class ConverterImpl implements Converter {
 
         public boolean canConvert(Class type) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-x9q4-qwfh-9gjqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-24427ghsaADVISORY
github.com/jenkinsci/bitbucket-oauth-plugin/commit/b73ac285f8cfcc9727f089c6b2c7f13412285e7cghsaWEB
www.jenkins.io/security/advisory/2023-01-24/ghsaWEB

News mentions

Jenkins Security Advisory 2023-01-24
Jenkins Security Advisories · Jan 24, 2023

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000