Miggo Logo

CVE-2021-21671: Session fixation vulnerability in Jenkins

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.64327%
Published
5/24/2022
Updated
12/6/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 2.292, <= 2.2992.300
org.jenkins-ci.main:jenkins-coremaven<= 2.289.12.289.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing session invalidation during authentication. The commit diff shows the fix added session invalidation logic in AuthenticationProcessingFilter2.successfulAuthentication() when sessionFixationProtectionMode=2. The original code (before patch) lacked this critical security measure, making it possible to maintain a session across login events. The test case SecurityRealmSecurity2371Test explicitly verifies session ID changes post-login, confirming this was the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r *o*s not inv*li**t* t** pr*vious s*ssion on lo*in. T*is *llows *tt**k*rs to us* so*i*l *n*in**rin* t***niqu*s to **in **ministr*tor ****ss to J*nkins. T*is vuln*r**ility w*s intro*u*** in J*nkins *.

Reasoning

T** vuln*r**ility st*ms *rom missin* s*ssion inv*li**tion *urin* *ut**nti**tion. T** *ommit *i** s*ows t** *ix ***** s*ssion inv*li**tion lo*i* in `*ut**nti**tionPro**ssin**ilt*r*.su***ss*ul*ut**nti**tion()` w**n s*ssion*ix*tionProt**tionMo**=*. T**