Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS00d3I5LTJ4YzYtam1nNc4AAo_q

High EPSS: 0.00484% (0.64354 Percentile) EPSS:
Permalink JSON

Session fixation vulnerability in Jenkins

Affected Packages Affected Versions Fixed Versions
maven:org.jenkins-ci.main:jenkins-core <= 2.289.1, >= 2.292, <= 2.299 2.289.2, 2.300

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.

Jenkins 2.300, LTS 2.289.2 invalidates the previous session on login.

In case of problems, administrators can choose a different implementation by setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode to 2, or disable the fix entirely by setting that system property to 0.

References:

Identifiers

GHSA-4wr9-2xc6-jmg5

CVE-2021-21671

Risk

Severity

High

EPSS

EPSS Percentage: 0.00484

EPSS Percentile: 0.64354

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jenkinsci/jenkins

Date and time

Published

about 3 years ago

Updated

over 1 year ago

API

JSON