CVE-2021-21621

描述

Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the \"About user (basic authentication details only)\" information (`user.md`). In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle. Support Core Plugin 2.72.1 no longer provides the serialized user authentication as part of the \"About user (basic authentication details only)\" information. As a workaround, deselecting \"About user (basic authentication details only)\" before creating a support bundle will exclude the affected information from the bundle.

受影響套件(1)

• Maven/org.jenkins-ci.plugins:support-corefrom 0, < 2.72.1

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21621
• PATCHhttps://github.com/jenkinsci/support-core-plugin
• WEBhttps://github.com/jenkinsci/support-core-plugin/commit/9af9efae6e9ed408ca89ff9b5f1b7a74da0a131f
• WEBhttps://www.jenkins.io/security/advisory/2021-02-24/#SECURITY-2150