[JENKINS:SECURITY-2150] Support bundles can include user session IDs in `support-core`
Severity
Low
Affected Packages
2
Fixed Packages
2
CVEs
1
support-core 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information (user.md).
In some configurations, this can include the session ID of the user creating the support bundle.
Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle.
support-core 2.72.1 no longer provides the serialized user authentication as part of the "About user (basic authentication details only)" information.
As a workaround, deselecting "About user (basic authentication details only)" before creating a support bundle will exclude the affected information from the bundle.
| Package | Affected Version |
|---|---|
 pkg:maven/org.jenkins-ci.plugins/support-core
|
<= 2.72 |
 pkg:github/jenkinsci/support-core-plugin
|
<= 2.72 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.jenkins-ci.plugins/support-core
|
= 2.72.1 |
|
pkg:github/jenkinsci/support-core-plugin
|
= 2.72.1 |
- ID
- JENKINS:SECURITY-2150
- Severity
- low
- Published
-
2021-02-24T00:00:00
(3 years ago) - Modified
-
2021-02-24T00:00:00
(3 years ago) - Rights
- Jenkins Security Team
- Other Advisories
MAVEN:GHSA-92PG-8G57-HQPX| Source | # ID | Name | URL |
|---|---|---|---|
| Plugin repository | support-core repository |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.jenkins-ci.plugins/support-core | org.jenkins-ci.plugins |
support-core
|
<= 2.72 | |||
| Fixed | pkg:maven/org.jenkins-ci.plugins/support-core | org.jenkins-ci.plugins |
support-core
|
= 2.72.1 | |||
| Affected | pkg:github/jenkinsci/support-core-plugin | jenkinsci |
support-core-plugin
|
<= 2.72 | |||
| Fixed | pkg:github/jenkinsci/support-core-plugin | jenkinsci |
support-core-plugin
|
= 2.72.1 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |