Description

A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account.

Remediation

References

CVE-2018-1000409

Related Vulnerabilities

LimeSurvey Improper Restriction of XML External Entity Reference Vulnerability (CVE-2019-16174)

WordPress Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-5489)

Apache Tomcat version older than 6.0.16

Drupal Core 8.9.x Arbitrary File Overwrite (8.9.0 - 8.9.12)

WordPress Plugin WOOCS-Currency Switcher for WooCommerce Professional Cross-Site Scripting (1.3.7.2)

Severity

Medium

Classification

CVE-2018-1000409 CWE-384 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities