CVE-2019-10371 — Session Fixation in Jenkins Gitlab Oauth

CWE-384 — Session Fixation6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 82.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Gitlab Oauth Jenkins Project Jenkins Gitlab Authentication Plugin

Timeline

PublishedAug 7

Latest updateMay 24

Description

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_gitlab_authentication_plugin1.4 and earlier

▶NVDjenkins/gitlab_oauth1.4

🔴Vulnerability Details

OSV

Jenkins Gitlab Authentication Plugin vulnerable to Session Fixation↗2022-05-24

▶

GHSA

Jenkins Gitlab Authentication Plugin vulnerable to Session Fixation↗2022-05-24

▶

CVEList

CVE-2019-10371: A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1↗2019-08-07

▶

📋Vendor Advisories

GitLab

CVE-2019-10371: A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to↗2019-08-07

▶

Jenkins

Jenkins Security Advisory 2019-08-07↗2019-08-07

▶