Описание
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
Session fixation vulnerability was found in Jenkins. The existing session on login process are not invalidated and this allows an attacker to gain potentially additional access on Jenkins by using social engineering attack techniques on a target user.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | jenkins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Will not fix | ||
| Red Hat OpenShift Container Platform 4.6 | jenkins | Fixed | RHBA-2021:3396 | 08.09.2021 |
| Red Hat OpenShift Container Platform 4.7 | jenkins | Fixed | RHBA-2021:3033 | 17.08.2021 |
| Red Hat OpenShift Container Platform 4.8 | jenkins | Fixed | RHSA-2021:3820 | 19.10.2021 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-384
https://bugzilla.redhat.com/show_bug.cgi?id=2007750jenkins: session fixation vulnerability
EPSS
Процентиль: 50%
0.00273
Низкий
7.5 High
CVSS3
Связанные уязвимости
CVSS3: 7.5
nvd
больше 4 лет назад
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
CVSS3: 7.5
debian
больше 4 лет назад
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate ...
EPSS
Процентиль: 50%
0.00273
Низкий
7.5 High
CVSS3