CVE-2021-21621

Name of the Vulnerable Software and Affected Versions Jenkins Support Core Plugin versions 2.72 and earlier

Description The issue concerns the provision of serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations. Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle.

Recommendations For Jenkins Support Core Plugin versions 2.72 and earlier, update to version 2.72.1 or later, which no longer provides the serialized user authentication as part of the "About user (basic authentication details only)" information. As a temporary workaround for versions 2.72 and earlier, deselect the "About user (basic authentication details only)" option before creating a support bundle to exclude the affected information from the bundle.