CVE-2021-21671 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=2.292 <2.300 || >=0 <2.289.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00403 pctl0.60075

Details

Session fixation vulnerability in Jenkins Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1. Jenkins 2.300, LTS 2.289.2 invalidates the previous session on login. In case of problems, administrators can choose a different implementation by setting the [Java system property `hudson.security.SecurityRealm.sessionFixationProtectionMode`](https://www.jenkins.io/doc/book/managing/system-properties/#hudson-security-securityrealm-sessionfixationprotectionmode) to `2`, or disable the fix entirely by setting that system property to `0`.

Metadata

Created: 2022-05-24T19:06:36Z
Modified: 2023-10-27T15:36:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4wr9-2xc6-jmg5/GHSA-4wr9-2xc6-jmg5.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-4wr9-2xc6-jmg5
Finding: F280
Auto approve: 1