CVE-2023-24427 : Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

Published 2023-01-26 21:18:17

Updated 2023-02-04 02:08:47

Source Jenkins Project

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2023-24427

Probability of exploitation activity in the next 30 days: 0.17%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 53 % EPSS Score History EPSS FAQ

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Assigned by: nvd@nist.gov (Primary)

Jenkins » Bitbucket Oauth » For Jenkins
Versions up to, including, (<=) 0.13
cpe:2.3:a:jenkins:bitbucket_oauth:*:*:*:*:*:jenkins:*:*
Matching versions