Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.8
Via RHSA-2021:3820 https://access.redhat.com/errata/RHSA-2021:3820
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):