Bug 2007750 (CVE-2021-21671)

Summary: CVE-2021-21671 jenkins: session fixation vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, aileenc, aos-bugs, bmontgom, chazlett, drieden, eparis, ggaughan, gmalinko, janstey, jburrell, jochrist, jokerman, jwon, nstielau, pbhattac, pdelbell, sponnaga, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins LTS 2.289.2, jenkins 2.300 Doc Type: If docs needed, set a value
Doc Text:
Session fixation vulnerability was found in Jenkins. The existing session on login process are not invalidated and this allows an attacker to gain potentially additional access on Jenkins by using social engineering attack techniques on a target user.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 02:08:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1972354, 2008113, 2008114    
Bug Blocks: 2007753    

Description Guilherme de Almeida Suckevicz 2021-09-24 18:24:38 UTC
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.

References:
https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371
http://www.openwall.com/lists/oss-security/2021/06/30/1

Comment 1 Przemyslaw Roguski 2021-09-27 10:09:28 UTC
This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.

Comment 4 errata-xmlrpc 2021-10-19 20:21:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3820 https://access.redhat.com/errata/RHSA-2021:3820

Comment 5 Product Security DevOps Team 2021-10-20 02:08:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21671