VYPR
← All advisories
High severityNVD Advisory· Published May 16, 2023· Updated Jan 23, 2025

CVE-2023-32997

CVE-2023-32997

Description

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CAS Plugin 1.6.2 and earlier fails to invalidate previous sessions on login, allowing session fixation attacks.

Vulnerability

Description The Jenkins CAS (Central Authentication Service) Plugin, versions 1.6.2 and earlier, does not invalidate the previous session upon successful authentication. This flaw stems from the absence of session fixation protection, as the CasAuthenticationFilter bean was not configured with a session authentication strategy that invalidates the previous session before creating a new one [1][2]. The fix, introduced in commit 3a33cc0175bcc18801faf9125afb38d495b5995f, adds a CasSessionFixationProtectionStrategy to the filter's session authentication strategy [2].

## Exploitation & Attack Surface An attacker who can obtain or force a victim to use a known session identifier (e.g., via cookie injection or a phishing link) could wait for the victim to log in via CAS. Since the old session is not invalidated on successful authentication, the attacker can reuse that same session identifier to hijack the victim's authenticated Jenkins session. No special privileges are required beyond the ability to set or predict a session identifier [1].

Impact

Successful exploitation allows an attacker to impersonate the victim and gain the same level of access within Jenkins as the authenticated user. This could lead to unauthorized access to builds, configurations, secrets, and other sensitive resources managed by the affected Jenkins instance [1][3].

Mitigation

The vulnerability is fixed in CAS Plugin version 1.6.3. Users should upgrade to this version immediately. No workarounds have been provided by the vendor [1][2]. The advisory was published as part of the Jenkins Security Advisory on 2023-05-16 [1].

References
  1. Jenkins Security Advisory 2023-05-16
  2. Fixed SECURITY-3000 · jenkinsci/cas-plugin@3a33cc0
  3. NVD - CVE-2023-32997

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:cas-pluginMaven
< 1.6.31.6.3

Affected products

3

Patches

1
3a33cc0175bc

Fixed SECURITY-3000

https://github.com/jenkinsci/cas-pluginFabien CrespelMay 1, 2023via ghsa
commit
3 files changed · +56 1
  • CHANGELOG.md+2 0 modified
    @@ -2,6 +2,8 @@
 
 ## [Unreleased]
 
+- Fixed security issue (SECURITY-3000).
+
 ## [1.6.2] - 2022-05-29
 
 - Added explicit dependency on JAXB plugin (JENKINS-68455).
  • src/main/java/org/jenkinsci/plugins/cas/spring/CasConfigurationContext.java+3 1 modified
    @@ -10,6 +10,7 @@
 import org.jenkinsci.plugins.cas.CasProtocol;
 import org.jenkinsci.plugins.cas.CasSecurityRealm;
 import org.jenkinsci.plugins.cas.spring.security.CasRestAuthenticator;
+import org.jenkinsci.plugins.cas.spring.security.CasSessionFixationProtectionStrategy;
 import org.jenkinsci.plugins.cas.spring.security.CasSingleSignOutFilter;
 import org.jenkinsci.plugins.cas.spring.security.CasUserDetailsService;
 import org.jenkinsci.plugins.cas.spring.security.DynamicServiceAuthenticationDetailsSource;
@@ -143,12 +144,13 @@ public CasSingleSignOutFilter casSingleSignOutFilter(CasSecurityRealm securityRe
 	}
 
 	@Bean
-	public CasAuthenticationFilter casAuthenticationFilter(AuthenticationManager casAuthenticationManager, DynamicServiceAuthenticationDetailsSource casAuthenticationDetailsSource, ServiceProperties casServiceProperties) {
+	public CasAuthenticationFilter casAuthenticationFilter(AuthenticationManager casAuthenticationManager, DynamicServiceAuthenticationDetailsSource casAuthenticationDetailsSource, ServiceProperties casServiceProperties, SessionMappingStorage casSessionMappingStorage) {
 		CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
 		casAuthenticationFilter.setFilterProcessesUrl("/" + CasSecurityRealm.getFinishLoginUrl());
 		casAuthenticationFilter.setAuthenticationManager(casAuthenticationManager);
 		casAuthenticationFilter.setAuthenticationDetailsSource(casAuthenticationDetailsSource);
 		casAuthenticationFilter.setServiceProperties(casServiceProperties);
+		casAuthenticationFilter.setSessionAuthenticationStrategy(new CasSessionFixationProtectionStrategy(casSessionMappingStorage));
 		casAuthenticationFilter.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler("/" + CasSecurityRealm.getFailedLoginUrl()));
 		casAuthenticationFilter.setAuthenticationSuccessHandler(new SessionUrlAuthenticationSuccessHandler("/"));
 		casAuthenticationFilter.setContinueChainBeforeSuccessfulAuthentication(true); // Required to reach CasSecurityRealm.doFinishLogin()
  • src/main/java/org/jenkinsci/plugins/cas/spring/security/CasSessionFixationProtectionStrategy.java+51 0 added
    @@ -0,0 +1,51 @@
+package org.jenkinsci.plugins.cas.spring.security;
+
+import javax.servlet.http.HttpSession;
+
+import org.jasig.cas.client.session.SessionMappingStorage;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
+
+/**
+ * Session fixation protection strategy that invalidates the existing session
+ * and integrates with the Single Sign-Out session mapping storage.
+ * 
+ * @author Fabien Crespel
+ */
+public class CasSessionFixationProtectionStrategy extends SessionFixationProtectionStrategy {
+
+	private static final Logger LOG = LoggerFactory.getLogger(CasSessionFixationProtectionStrategy.class);
+
+	protected SessionMappingStorage sessionStorage = null;
+
+	public CasSessionFixationProtectionStrategy() {
+	}
+
+	public CasSessionFixationProtectionStrategy(SessionMappingStorage sessionStorage) {
+		this.sessionStorage = sessionStorage;
+	}
+
+	@Override
+	protected void onSessionChange(String originalSessionId, HttpSession newSession, Authentication auth) {
+		if (sessionStorage != null) {
+			LOG.debug("Session changed, removing existing session with ID '{}'", originalSessionId);
+			sessionStorage.removeBySessionById(originalSessionId);
+			if (auth.getCredentials() instanceof String) {
+				LOG.debug("Session changed, adding new session with ID '{}'", newSession.getId());
+				sessionStorage.addSessionById((String) auth.getCredentials(), newSession);
+			}
+		}
+		super.onSessionChange(originalSessionId, newSession, auth);
+	}
+
+	public SessionMappingStorage getSessionStorage() {
+		return sessionStorage;
+	}
+
+	public void setSessionStorage(SessionMappingStorage sessionStorage) {
+		this.sessionStorage = sessionStorage;
+	}
+
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1