CVE-2021-21671

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.299 and earlier Jenkins LTS versions 2.289.1 and earlier

Description The issue arises because Jenkins does not invalidate the previous session on login, allowing attackers to potentially use social engineering techniques to gain administrator access. This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.

Recommendations For Jenkins versions 2.299 and earlier, update to version 2.300 or later to invalidate the previous session on login. For Jenkins LTS versions 2.289.1 and earlier, update to version 2.289.2 or later to invalidate the previous session on login. As a temporary workaround, consider setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode to 2 to choose a different implementation, or set it to 0 to disable the fix entirely, but this is not recommended as it may introduce security risks.