CVE-2021-21671
published 2021-06-30CVE-2021-21671: Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
PriorityP338high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EPSS
1.71%
74.4th percentile
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | cas_plugin | — | — |
| jenkins | jenkins | >= 2.266 < 2.300 | 2.300 |
| jenkins | jenkins | >= 2.277.1 < 2.289.2 | 2.289.2 |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | selenium_html_report_plugin | — | — |
| jenkins_project | jenkins | >= 2.266 < unspecified | unspecified |
| jenkins_project | jenkins | >= LTS 2.277.1 < unspecified | unspecified |
| jenkins_project | jenkins | unspecified – 2.299 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2021-06-30
vendor_jenkins·2021-06-30·CVSS 4.3
CVE-2021-21670 [MEDIUM] Jenkins Security Advisory 2021-06-30
Title: Jenkins Security Advisory 2021-06-30
Jenkins Security Advisory 2021-06-30
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
CAS
Plugin
requests-plugin
Plugin
requests-plugin
Plugin
requests-plugin
Plugin
Selenium HTML report
Plugin
Descriptions
Improper permission checks allow
Red Hat
jenkins: session fixation vulnerability
vendor_redhat·2021-06-30·CVSS 7.5
CVE-2021-21671 [HIGH] CWE-384 jenkins: session fixation vulnerability
jenkins: session fixation vulnerability
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
Session fixation vulnerability was found in Jenkins. The existing session on login process are not invalidated and this allows an attacker to gain potentially additional access on Jenkins by using social engineering attack techniques on a target user.
Package: jenkins (Red Hat Fuse 7) - Not affected
Package: jenkins (Red Hat OpenShift Container Platform 3.11) - Will not fix
OSV
Session fixation vulnerability in Jenkins
osv·2022-05-24
CVE-2021-21671 [HIGH] Session fixation vulnerability in Jenkins
Session fixation vulnerability in Jenkins
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.
Jenkins 2.300, LTS 2.289.2 invalidates the previous session on login.
In case of problems, administrators can choose a different implementation by setting the [Java system property `hudson.security.SecurityRealm.sessionFixationProtectionMode`](https://www.jenkins.io/doc/book/managing/system-properties/#hudson-security-securityrealm-sessionfixationprotectionmode) to `2`, or disable the fix entirely by setting that system property to `0`.
GHSA
Session fixation vulnerability in Jenkins
ghsa·2022-05-24
CVE-2021-21671 [HIGH] CWE-384 Session fixation vulnerability in Jenkins
Session fixation vulnerability in Jenkins
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.
Jenkins 2.300, LTS 2.289.2 invalidates the previous session on login.
In case of problems, administrators can choose a different implementation by setting the [Java system property `hudson.security.SecurityRealm.sessionFixationProtectionMode`](https://www.jenkins.io/doc/book/managing/system-properties/#hudson-security-securityrealm-sessionfixationprotectionmode) to `2`, or disable the fix entirely by setting that system property to `0`.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-06-30
Published