CVE-2023-24444

Description

Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login [1]. This means that after a user authenticates via OpenID, the old session ID remains valid, creating a session fixation vulnerability [2]. The root cause is the lack of proper session invalidation during the login process.

Exploitation

An attacker can exploit this by forcing a victim to use a known session ID (e.g., via a crafted link) before the victim logs in via OpenID [1]. After the victim successfully authenticates, the session ID is not replaced, so the attacker can use the same session ID to access the Jenkins instance as the authenticated user [2]. No additional authentication is required for the attacker; they only need to set the session ID prior to login.

Impact

Successful exploitation allows an attacker to hijack an authenticated session, gaining access to the Jenkins instance with the victim's permissions [1]. This could lead to unauthorized access to jobs, configurations, credentials, or other sensitive data, depending on the victim's privileges [2]. The vulnerability is rated as medium severity in the Jenkins advisory.

Mitigation

The Jenkins OpenID Plugin version 2.5 and later fixes this vulnerability by invalidating the previous session upon login [1]. Users should upgrade to version 2.5 or higher. There is no known workaround for older versions.