[MAVEN:GHSA-4WR9-2XC6-JMG5] Session fixation vulnerability in Jenkins
Severity
High
Affected Packages
2
Fixed Packages
2
CVEs
1
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.
Jenkins 2.300, LTS 2.289.2 invalidates the previous session on login.
In case of problems, administrators can choose a different implementation by setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode to 2, or disable the fix entirely by setting that system property to 0.
| Package | Affected Version |
|---|---|
 pkg:maven/org.jenkins-ci.main/jenkins-core
|
<= 2.289.1 |
|
pkg:maven/org.jenkins-ci.main/jenkins-core
|
>= 2.292, <= 2.299 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.jenkins-ci.main/jenkins-core
|
= 2.289.2 |
|
pkg:maven/org.jenkins-ci.main/jenkins-core
|
= 2.300 |
- ID
- MAVEN:GHSA-4WR9-2XC6-JMG5
- Severity
- high
- URL
- https://github.com/advisories/GHSA-4wr9-2xc6-jmg5
- Published
-
2022-05-24T19:06:36
(2 years ago) - Modified
-
2023-12-06T21:36:30
(9 months ago) - Rights
- Maven Security Team
- Other Advisories
ASA-202107-5
FREEBSD:9D271BAB-DA22-11EB-86F0-94C691A700A6
JENKINS:SECURITY-2371| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.jenkins-ci.main/jenkins-core | org.jenkins-ci.main |
jenkins-core
|
<= 2.289.1 | |||
| Fixed | pkg:maven/org.jenkins-ci.main/jenkins-core | org.jenkins-ci.main |
jenkins-core
|
= 2.289.2 | |||
| Affected | pkg:maven/org.jenkins-ci.main/jenkins-core | org.jenkins-ci.main |
jenkins-core
|
>= 2.292 <= 2.299 | |||
| Fixed | pkg:maven/org.jenkins-ci.main/jenkins-core | org.jenkins-ci.main |
jenkins-core
|
= 2.300 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |