CVE-2021-21621 – org.jenkins-ci.plugins:support-core

Package

Manager: maven
Name: org.jenkins-ci.plugins:support-core
Vulnerable Version: >=0 <2.72.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00089 pctl0.264

Details

Support bundles can include user session IDs in Jenkins Support Core Plugin Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the \"About user (basic authentication details only)\" information (`user.md`). In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle. Support Core Plugin 2.72.1 no longer provides the serialized user authentication as part of the \"About user (basic authentication details only)\" information. As a workaround, deselecting \"About user (basic authentication details only)\" before creating a support bundle will exclude the affected information from the bundle.

Metadata

Created: 2022-05-24T17:43:01Z
Modified: 2023-12-15T09:40:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-92pg-8g57-hqpx/GHSA-92pg-8g57-hqpx.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-92pg-8g57-hqpx
Finding: F017
Auto approve: 1