7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21671

GHSA ID

GHSA-4wr9-2xc6-jmg5

EPSS Score

0.64327%

CWE

CWE-384

Published

5/24/2022

Updated

12/6/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21671

CVE-2021-21671: Session fixation vulnerability in Jenkins

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.

Jenkins 2.300, LTS 2.289.2 invalidates the previous session on login.

In case of problems, administrators can choose a different implementation by setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode to 2, or disable the fix entirely by setting that system property to 0.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21671

GHSA ID

GHSA-4wr9-2xc6-jmg5

EPSS Score

0.64327%

CWE

CWE-384

Published

5/24/2022

Updated

12/6/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	>= 2.292, <= 2.299	2.300
org.jenkins-ci.main:jenkins-core	maven	<= 2.289.1	2.289.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing session invalidation during authentication. The commit diff shows the fix added session invalidation logic in AuthenticationProcessingFilter2.successfulAuthentication() when sessionFixationProtectionMode=2. The original code (before patch) lacked this critical security measure, making it possible to maintain a session across login events. The test case SecurityRealmSecurity2371Test explicitly verifies session ID changes post-login, confirming this was the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r *o*s not inv*li**t* t** pr*vious s*ssion on lo*in. T*is *llows *tt**k*rs to us* so*i*l *n*in**rin* t***niqu*s to **in **ministr*tor ****ss to J*nkins. T*is vuln*r**ility w*s intro*u*** in J*nkins *.

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion inv*li**tion *urin* *ut**nti**tion. T** *ommit *i** s*ows t** *ix ***** s*ssion inv*li**tion lo*i* in `*ut**nti**tionPro**ssin**ilt*r*.su***ss*ul*ut**nti**tion()` w**n s*ssion*ix*tionProt**tionMo**=*. T**

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-21671: Session fixation vulnerability in Jenkins

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI