{ "threat_severity" : "Moderate", "public_date" : "2021-06-30T00:00:00Z", "bugzilla" : { "description" : "jenkins: session fixation vulnerability", "id" : "2007750", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2007750" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-384", "details" : [ "Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.", "Session fixation vulnerability was found in Jenkins. The existing session on login process are not invalidated and this allows an attacker to gain potentially additional access on Jenkins by using social engineering attack techniques on a target user." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2021-09-08T00:00:00Z", "advisory" : "RHBA-2021:3396", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "jenkins-0:2.289.2.1629437819-1.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.7", "release_date" : "2021-08-17T00:00:00Z", "advisory" : "RHBA-2021:3033", "cpe" : "cpe:/a:redhat:openshift:4.7::el8", "package" : "jenkins-0:2.289.2.1628252553-1.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-10-19T00:00:00Z", "advisory" : "RHSA-2021:3820", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "jenkins-0:2.289.3.1633554819-1.el8" } ], "package_state" : [ { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.11" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-21671\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21671\nhttps://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371" ], "name" : "CVE-2021-21671", "csaw" : false }