Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61738

Session hijacking protection hardening


    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None
    • Jenkins 2.234

      After the recent SECURITY-1774 published in https://jenkins.io/security/advisory/2020-03-25/, we are preventing the usage of semicolon in URL. In Jenkins they could potentially have a legitimate (but not really recommended) usage when included in item names.

      If you need to activate the escape hatch "jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath", and you are using a SecurityRealm that does not invalidate the session after authentication, you are vulnerable to a session hijacking attack. Of course, the SecurityRealm issue has to be reported as a vulnerability and then corrected.

      The problem is that you can trigger a URL in Jenkins with ";jsessionid=xxx" (only "available" in Tomcat).

      This ticket is about adding a "second" level of protection there (think defense in depth) by forcing the session to be tracked as a cookie (from default which is cookie+url).

            wfollonier Wadeck Follonier
            wfollonier Wadeck Follonier
            0 Vote for this issue
            1 Start watching this issue