GHSA-mcqx-wc2j-qx9v

Source

https://github.com/advisories/GHSA-mcqx-wc2j-qx9v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mcqx-wc2j-qx9v/GHSA-mcqx-wc2j-qx9v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mcqx-wc2j-qx9v

Aliases

CVE-2019-1003019

Published

2022-05-13T01:31:34Z

Modified

2024-02-16T08:15:00.527976Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

GitHub Authentication Plugin session fixation vulnerability

Details

An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

Database specific

{
    "nvd_published_at": "2019-02-06T16:29:00Z",
    "cwe_ids": [
        "CWE-384"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T22:38:20Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:github-oauth

Package

Name: org.jenkins-ci.plugins:github-oauth; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/github-oauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.31

Affected versions

-rc586.*

-rc586.88708ce878fc

0.*

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.8.1

0.9

0.10

0.11

0.12

0.13

0.13.1

0.14

0.16

0.17

0.18

0.19

0.20

0.21

0.21.1

0.21.2

0.22

0.22.1

0.22.2

0.22.3

0.23

0.24

0.25

0.26

0.27

0.28.1

0.29

Database specific

{
    "last_known_affected_version_range": "<= 0.29"
}