Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3820 advisory.

  - jenkins: improper permission checks allow canceling queue items and aborting builds (CVE-2021-21670)

  - jenkins: session fixation vulnerability (CVE-2021-21671)

  - golang: net: lookup functions may return invalid host names (CVE-2021-33195)

  - golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)

  - golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large     exponents (CVE-2021-33198)

  - golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.x prior to 2.289.2.2, 2.249.x prior to 2.249.31.0.6, or 2.277.x prior to 2.277.40.0.1. It is, therefore, affected by multiple vulnerabilities:

  - Vulnerable versions of Jenkins allow users to cancel queue items and abort builds of jobs for which they     have Item/Cancel permission even when they do not have Item/Read permission. (CVE-2021-21670)

  - Vulnerable versions of Jenkins do not invalidate the previous session on login and is, therefore,     vulnerable to session fixation attacks. (CVE-2021-21671)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Jenkins Security Advisory : Description(Medium) SECURITY-2278 / CVE-2021-21670 Improper permission checks allow canceling queue items and aborting builds (High) SECURITY-2371 / CVE-2021-21671 Session fixation vulnerability

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.289.2 or Jenkins weekly prior to 2.300. It is, therefore, affected by multiple vulnerabilities:

  - Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of     jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins     2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to     Item/Cancel permission. As a workaround on earlier versions of Jenkins, do not grant Item/Cancel     permission to users who do not have Item/Read permission. (CVE-2021-21670)

  - Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the existing session on login. This     allows attackers to use social engineering techniques to gain administrator access to Jenkins. This     vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1. Jenkins 2.300, LTS 2.289.2 invalidates the     existing session on login. Note In case of problems, administrators can choose a different implementation     by setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode to 2, or     disable the fix entirely by setting that system property to 0. (CVE-2021-21671)

  - Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external     entity (XXE) attacks. This allows attackers with the ability to control the report files parsed using this     plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets     from the Jenkins controller or server-side request forgery. Selenium HTML report Plugin 1.1 disables     external entity resolution for its XML parser. (CVE-2021-21672)

  - CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately     pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL     that will forward them to a different site after successful authentication. CAS Plugin 1.6.1 only     redirects to relative (Jenkins) URLs. (CVE-2021-21673)

  - requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint. This     allows attackers with Overall/Read permission to view the list of pending requests. requests-plugin Plugin     2.2.7 requires Overall/Read permission to view the list of pending requests. (CVE-2021-21674)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
154293	RHEL 8 : OpenShift Container Platform 4.8.15 packages and (RHSA-2021:3820)	Nessus	Red Hat Local Security Checks	high
153977	Jenkins Enterprise and Operations Center < 2.249.31.0.6 / 2.277.40.0.1 / 2.289.2.2 Multiple Vulnerabilities (CloudBees Security Advisory 2021-06-30)	Nessus	CGI abuses	high
151346	FreeBSD : jenkins -- multiple vulnerabilities (9d271bab-da22-11eb-86f0-94c691a700a6)	Nessus	FreeBSD Local Security Checks	high
151193	Jenkins LTS < 2.289.2 / Jenkins weekly < 2.300 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2021-21671

high

Tenable Plugins

high

high

high

high