CVE-2024-52553

The Jenkins OpenId Connect Authentication Plugin versions 4.418.vccc7061f5b_6d and earlier contain a session management vulnerability that fails to invalidate the previous session on login [1]. This flaw arises from how the plugin handles authentication state transitions, where a new login does not terminate the prior session, leaving it active alongside the new session [2].

The vulnerability can be exploited without authentication, as an attacker with access to a valid session token (e.g., obtained through phishing or session interception) can reuse that token even after the legitimate user logs in again [3]. The attack surface is limited to instances where the plugin is enabled as the security realm, and prerequisites include the ability to obtain or predict a session identifier [1].

If successfully exploited, an attacker gains persistent access to the Jenkins instance under the identity of the victim user, potentially with elevated privileges depending on the victim's roles [2]. This can lead to unauthorized job execution, configuration changes, or credential exposure [1].

As of the Jenkins Security Advisory 2024-11-13, users are advised to update the plugin to a version where this issue is addressed [1]. No workaround is provided; upgrading to the fixed version is the recommended mitigation [3].