CVE-2021-21671
📋 TL;DR
Jenkins 2.299 and earlier, including LTS 2.289.1 and earlier, fails to invalidate previous user sessions upon login. This allows attackers who have obtained a valid session cookie to maintain access even after the legitimate user changes their password or logs out. All Jenkins instances running affected versions are vulnerable.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
An attacker with stolen session cookies maintains persistent unauthorized access to Jenkins, potentially leading to complete system compromise, data theft, or malicious code execution.
Likely Case
Attackers maintain access to Jenkins after legitimate users log out or change passwords, enabling privilege escalation, configuration changes, or pipeline manipulation.
If Mitigated
With proper session management controls and monitoring, impact is limited to temporary unauthorized access until sessions naturally expire.
🎯 Exploit Status
Exploitation requires obtaining valid session cookies through other means (XSS, MITM, credential theft).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.300, LTS 2.289.2
Vendor Advisory: https://www.jenkins.io/security/advisory/2021-06-30/#SECURITY-2371
Restart Required: Yes
Instructions:
1. Backup Jenkins configuration and data. 2. Upgrade to Jenkins 2.300 or later, or LTS 2.289.2 or later. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Manual Session Invalidation
allManually invalidate all existing sessions by restarting Jenkins and implementing shorter session timeouts.
sudo systemctl restart jenkins
Configure session timeout in Jenkins security settings
🧯 If You Can't Patch
- Implement strict network segmentation and limit Jenkins access to trusted networks only.
- Deploy web application firewall (WAF) rules to detect and block session fixation attempts.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'.Check Version:
java -jar jenkins.war --versionVerify Fix Applied:
Verify version is 2.300+ or LTS 2.289.2+ and test that new login invalidates previous sessions.📡 Detection & Monitoring
Log Indicators:
- Multiple concurrent sessions from same user
- Session IDs not changing after login
Network Indicators:
- Unusual session duration patterns
- Multiple authentication requests without session invalidation
SIEM Query:
source="jenkins.log" AND "Session" AND "not invalidated"