QID 730125

Jenkins is an open-source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery.

CVE-2021-21670: Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
CVE-2021-21671: Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

Affected Versions:
Jenkins weekly up to and including 2.299
Jenkins LTS up to and including 2.289.1

Fixed Versions:
Jenkins weekly should be updated to version 2.300
Jenkins LTS should be updated to version 2.289.2

QID Detection Logic(Unauthenticated):
This QID checks for vulnerable version by sending a crafted GET request to Jenkins. This QID also detects the vulnerable version from login page or HTTP header.

Successful exploitation of these vulnerabilities may allow an attacker to takeover users account using session fixation vulnerability.