Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05MnBnLThnNTctaHFweM4AAnqH
Support bundles can include user session IDs in Jenkins Support Core Plugin
Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information (user.md).
In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle.
Support Core Plugin 2.72.1 no longer provides the serialized user authentication as part of the "About user (basic authentication details only)" information.
As a workaround, deselecting "About user (basic authentication details only)" before creating a support bundle will exclude the affected information from the bundle.
Permalink: https://github.com/advisories/GHSA-92pg-8g57-hqpxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05MnBnLThnNTctaHFweM4AAnqH
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Identifiers: GHSA-92pg-8g57-hqpx, CVE-2021-21621
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21621
- https://www.jenkins.io/security/advisory/2021-02-24/#SECURITY-2150
- https://github.com/jenkinsci/support-core-plugin/commit/9af9efae6e9ed408ca89ff9b5f1b7a74da0a131f
- https://github.com/advisories/GHSA-92pg-8g57-hqpx
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:support-core
Affected Version Ranges: <= 2.72Fixed in: 2.72.1