Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b6d and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenId Connect Authentication Plugin 4.421.v5422614ebe0a_ invalidates the existing session on login.
{ "nvd_published_at": "2024-11-13T21:15:29Z", "cwe_ids": [ "CWE-384", "CWE-613" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-11-14T15:37:51Z" }