ASA-2019-00102 – Jenkins: Session fixation vulnerability in GitHub Authentication Plugin

GitHub Authentication Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user’s pre-login session ID to impersonate them.

ASA-2019-00101 – Jenkins: GitHub Authentication Plugin showed plain text client secret in configuration form

GitHub Authentication Plugin stores the client secret in the global Jenkins configuration. While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret through browser extensions, cross-site scripting vulnerabilities, and similar situations. GitHub Authentication Plugin now encrypts the client secret transmitted to administrators viewing the global security configuration form.