Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tY3F4LXdjMmotcXg5ds4AAQ7o
GitHub Authentication Plugin session fixation vulnerability
An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.
Permalink: https://github.com/advisories/GHSA-mcqx-wc2j-qx9vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tY3F4LXdjMmotcXg5ds4AAQ7o
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 4 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-mcqx-wc2j-qx9v, CVE-2019-1003019
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-1003019
- https://jenkins.io/security/advisory/2019-01-28/#SECURITY-797
- https://github.com/jenkinsci/github-oauth-plugin/commit/3fcc367022c58486e5f52def3edbac92ed258ba4
- https://github.com/advisories/GHSA-mcqx-wc2j-qx9v
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:github-oauth
Affected Version Ranges: <= 0.29Fixed in: 0.31