{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins project", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "2.266", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "LTS 2.277.1", "versionType": "custom"}, {"lessThanOrEqual": "2.299", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "LTS 2.289.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T15:51:39.613Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371"}, {"name": "[oss-security] 20210630 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/06/30/1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2021-21671", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_affected": ">=", "version_value": "2.266"}, {"version_affected": ">=", "version_value": "LTS 2.277.1"}, {"version_affected": "<=", "version_value": "2.299"}, {"version_affected": "<=", "version_value": "LTS 2.289.1"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-384: Session Fixation"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371"}, {"name": "[oss-security] 20210630 Multiple vulnerabilities in Jenkins and Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/06/30/1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:23:27.410Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371"}, {"name": "[oss-security] 20210630 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/06/30/1"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2021-21671", "datePublished": "2021-06-30T16:45:17", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:23:27.410Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "8D9CE6EE-338A-4D59-A6C6-76E714522572", "versionEndExcluding": "2.300", "versionStartIncluding": "2.266", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "17720296-D50E-4F54-8A35-613F40AC546A", "versionEndExcluding": "2.289.2", "versionStartIncluding": "2.277.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login."}, {"lang": "es", "value": "Jenkins versiones 2.299 y anteriores, versiones LTS 2.289.1 y anteriores no invalidan la sesi\u00f3n anterior al iniciar sesi\u00f3n"}], "id": "CVE-2021-21671", "lastModified": "2024-11-21T05:48:48.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-30T17:15:08.987", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/06/30/1"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/06/30/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified"}

{"affected_release": [{"advisory": "RHBA-2021:3396", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "jenkins-0:2.289.2.1629437819-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-09-08T00:00:00Z"}, {"advisory": "RHBA-2021:3033", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "jenkins-0:2.289.2.1628252553-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-08-17T00:00:00Z"}, {"advisory": "RHSA-2021:3820", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "jenkins-0:2.289.3.1633554819-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2021-10-19T00:00:00Z"}], "bugzilla": {"description": "jenkins: session fixation vulnerability", "id": "2007750", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007750"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-384", "details": ["Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.", "Session fixation vulnerability was found in Jenkins. The existing session on login process are not invalidated and this allows an attacker to gain potentially additional access on Jenkins by using social engineering attack techniques on a target user."], "name": "CVE-2021-21671", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.11"}], "public_date": "2021-06-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21671\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21671\nhttps://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371"], "threat_severity": "Moderate"}