Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00d3I5LTJ4YzYtam1nNc4AAo_q
Session fixation vulnerability in Jenkins
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.
Jenkins 2.300, LTS 2.289.2 invalidates the previous session on login.
In case of problems, administrators can choose a different implementation by setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode
to 2
, or disable the fix entirely by setting that system property to 0
.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00d3I5LTJ4YzYtam1nNc4AAo_q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 12 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-4wr9-2xc6-jmg5, CVE-2021-21671
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21671
- https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371
- http://www.openwall.com/lists/oss-security/2021/06/30/1
- https://github.com/jenkinsci/jenkins/commit/25a42f3942fd9f8bd768c887c679dbc796b4fcd5
- https://github.com/advisories/GHSA-4wr9-2xc6-jmg5
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: <= 2.289.1, >= 2.292, <= 2.299Fixed in: 2.289.2, 2.300