Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-52553

CVE-2024-52553: Jenkins OpenID Auth Bypass Vulnerability

CVE-2024-52553 is an authentication bypass flaw in Jenkins OpenID Connect Authentication Plugin that fails to invalidate sessions on login. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-52553 Overview

CVE-2024-52553 affects the Jenkins OpenId Connect Authentication Plugin version 4.418.vccc7061f5b_6d and earlier. The plugin fails to invalidate the previous session upon user login. Attackers can exploit this session fixation flaw [CWE-613] to hijack authenticated Jenkins sessions after a victim logs in.

The vulnerability impacts continuous integration and continuous deployment (CI/CD) environments that rely on OpenID Connect (OIDC) federated authentication. Successful exploitation grants the attacker the privileges of the authenticated victim, including access to build pipelines, credentials, and source code.

Critical Impact

Attackers who can plant a pre-authenticated session identifier in a victim's browser gain full access to the victim's Jenkins account after the victim logs in via OIDC.

Affected Products

  • Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier
  • Jenkins controllers using OIDC for single sign-on (SSO)
  • CI/CD pipelines authenticating through federated identity providers

Discovery Timeline

  • 2024-11-13 - Jenkins publishes Security Advisory SECURITY-3473
  • 2024-11-13 - CVE-2024-52553 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-52553

Vulnerability Analysis

The Jenkins OpenId Connect Authentication Plugin handles authentication by exchanging OIDC tokens with an identity provider. When a user successfully authenticates, the plugin associates the resulting identity with the existing HTTP session rather than creating a new one. This behavior matches the classic session fixation pattern described in [CWE-613] (Insufficient Session Expiration).

An attacker who can set or observe a session cookie in the victim's browser before login retains a valid session reference after the victim authenticates. The plugin does not rotate the session identifier on the privilege transition from unauthenticated to authenticated state. The attacker can then replay the known session identifier and act as the victim.

Exploitation requires user interaction, since the victim must complete an OIDC login while carrying the attacker-controlled session. Network-adjacent attackers, malicious advertising, or cross-site scripting (XSS) on adjacent applications can deliver the pre-set session cookie. The impact extends across confidentiality, integrity, and availability because Jenkins administrators frequently log in via OIDC.

Root Cause

The authentication flow in the affected plugin versions does not call session invalidation or regeneration after the OIDC callback validates the identity token. Web frameworks typically expose a session rotation primitive that the plugin must invoke on successful authentication. The omission leaves the pre-login session identifier valid post-authentication.

Attack Vector

The attacker first obtains a valid Jenkins session cookie by visiting the login page. The attacker then forces the victim's browser to use that session cookie through a cookie injection vector, such as a subdomain XSS or a network position permitting cookie writes. The victim authenticates through the OIDC provider, and the plugin binds the victim's identity to the attacker's known session identifier. The attacker resumes the session and inherits the victim's permissions in Jenkins.

No verified proof-of-concept code is publicly available. Refer to the Jenkins Security Advisory SECURITY-3473 for vendor-confirmed technical detail.

Detection Methods for CVE-2024-52553

Indicators of Compromise

  • Jenkins session identifiers (JSESSIONID) that persist across the OIDC login redirect chain without rotation.
  • Authenticated Jenkins actions originating from IP addresses or User-Agent strings that differ from the IP that initiated the OIDC flow.
  • Multiple concurrent authenticated sessions sharing the same session identifier from distinct client fingerprints.

Detection Strategies

  • Correlate Jenkins access logs with OIDC identity provider logs to flag sessions where the post-login client fingerprint differs from the pre-login fingerprint.
  • Audit the JSESSIONID cookie value before and after the /securityRealm/finishLogin callback in HTTP traces to confirm rotation.
  • Alert on Jenkins administrative actions, credential reads, or pipeline modifications performed shortly after an OIDC callback from an unusual source.

Monitoring Recommendations

  • Forward Jenkins access.log and audit plugin events to a centralized logging platform for long-term correlation.
  • Monitor identity provider sign-in events for the Jenkins client application and reconcile against Jenkins session activity.
  • Track changes to Jenkins job configurations, credential stores, and user permission grants performed under recently authenticated sessions.

How to Mitigate CVE-2024-52553

Immediate Actions Required

  • Upgrade the Jenkins OpenId Connect Authentication Plugin to a version newer than 4.418.vccc7061f5b_6d as specified in the Jenkins advisory.
  • Invalidate all active Jenkins sessions after upgrading by restarting the controller or rotating the session secret.
  • Rotate Jenkins API tokens and credentials that may have been exposed through hijacked sessions.

Patch Information

Jenkins released a fixed version of the OpenId Connect Authentication Plugin alongside the Jenkins Security Advisory SECURITY-3473 on November 13, 2024. The patched plugin invalidates the prior session on successful OIDC login, preventing the fixation condition.

Workarounds

  • Restrict Jenkins access to trusted networks using a virtual private network (VPN) or reverse proxy until the plugin is upgraded.
  • Enforce short session lifetimes and require periodic re-authentication for privileged Jenkins users.
  • Disable the OpenId Connect Authentication Plugin and revert to an alternative authentication realm if patching is delayed.
bash
# Upgrade the plugin via the Jenkins CLI
java -jar jenkins-cli.jar -s https://jenkins.example.com/ \
  install-plugin oic-auth -deploy

# Restart Jenkins to invalidate residual sessions
java -jar jenkins-cli.jar -s https://jenkins.example.com/ safe-restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne