| Summary: | CVE-2021-21671 jenkins: session fixation vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abenaiss, aileenc, aos-bugs, bmontgom, chazlett, drieden, eparis, ggaughan, gmalinko, janstey, jburrell, jochrist, jokerman, jwon, nstielau, pbhattac, pdelbell, sponnaga, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jenkins LTS 2.289.2, jenkins 2.300 | Doc Type: | If docs needed, set a value |
| Doc Text: |
Session fixation vulnerability was found in Jenkins. The existing session on login process are not invalidated and this allows an attacker to gain potentially additional access on Jenkins by using social engineering attack techniques on a target user.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-20 02:08:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1972354, 2008113, 2008114 | ||
| Bug Blocks: | 2007753 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-09-24 18:24:38 UTC
This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:3820 https://access.redhat.com/errata/RHSA-2021:3820 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21671 |