Description

Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.

Remediation

References

https://www.jenkins.io/security/advisory/2021-02-24/#SECURITY-2150

Related Vulnerabilities

CVE-2020-17530 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2018-11804 Vulnerability in maven package org.apache.spark:spark-core_2.11

CVE-2013-7398 Vulnerability in maven package com.ning:async-http-client

CVE-2019-12421 Vulnerability in maven package org.apache.nifi:nifi-web-ui

CVE-2011-1184 Vulnerability in maven package org.apache.tomcat:catalina

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory