Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61738

Session hijacking protection hardening

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved (View Workflow)
    • Minor
    • Resolution: Fixed
    • core
    • None
    • Jenkins 2.234

    Description

      After the recent SECURITY-1774 published in https://jenkins.io/security/advisory/2020-03-25/, we are preventing the usage of semicolon in URL. In Jenkins they could potentially have a legitimate (but not really recommended) usage when included in item names.

      If you need to activate the escape hatch "jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath", and you are using a SecurityRealm that does not invalidate the session after authentication, you are vulnerable to a session hijacking attack. Of course, the SecurityRealm issue has to be reported as a vulnerability and then corrected.

      The problem is that you can trigger a URL in Jenkins with ";jsessionid=xxx" (only "available" in Tomcat).

      This ticket is about adding a "second" level of protection there (think defense in depth) by forcing the session to be tracked as a cookie (from default which is cookie+url).

      Attachments

        Issue Links

          Activity

            There are no comments yet on this issue.

            People

              wfollonier Wadeck Follonier
              wfollonier Wadeck Follonier
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: