CVE-2023-24444
CVE-2023-24444 is a critical-severity vulnerability in Jenkins Openid with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-404.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 1% (63rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-404
- Affected product: Jenkins Openid
- Published:
- Last modified:
Description
Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.
Frequently asked questions
- What is CVE-2023-24444?
- Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.
- How severe is CVE-2023-24444?
- CVE-2023-24444 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-24444 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (63rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-24444?
- CVE-2023-24444 affects Jenkins Openid. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-24444?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2023-24444 published?
- CVE-2023-24444 was published on 2023-01-26 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:jenkins:openid:*:*:*:*:*:jenkins:*:*
More vulnerabilities in Jenkins Openid
- CVE-2023-24446 — High (CVSS 8.8): A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick…
- CVE-2023-50770 — Medium (CVSS 6.7): Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an…
- CVE-2019-1003099 — Medium (CVSS 6.5): A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form…
- CVE-2019-1003098 — Medium (CVSS 6.5): A cross-site request forgery vulnerability in Jenkins openid Plugin in the…
- CVE-2023-24445 — Medium (CVSS 6.1): Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to…
All CVEs affecting Jenkins Openid →
Other CWE-404 vulnerabilities
- CVE-2024-31611 — Critical (CVSS 9.1): SeaCMS 12.9 has a file deletion vulnerability via admin_template.php.
- CVE-2018-8450 — High (CVSS 8.8): A remote code execution vulnerability exists when Windows Search handles objects in memory, aka "Windows Search Remote…
- CVE-2026-11317 — High (CVSS 8.7): A denial of service security issue exists in the affected product. The security issue stems from a fault occurring when…
- CVE-2022-25762 — High (CVSS 8.6): If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on…
- CVE-2020-26070 — High (CVSS 8.6): A vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series…
- CVE-2017-1145 — High (CVSS 8.6): IBM WebSphere MQ 8.0.0.6 does not properly terminate channel agents when they are no longer needed, which could allow a…