• Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None
    • Jenkins 2.234

      After the recent SECURITY-1774 published in https://jenkins.io/security/advisory/2020-03-25/, we are preventing the usage of semicolon in URL. In Jenkins they could potentially have a legitimate (but not really recommended) usage when included in item names.

      If you need to activate the escape hatch "jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath", and you are using a SecurityRealm that does not invalidate the session after authentication, you are vulnerable to a session hijacking attack. Of course, the SecurityRealm issue has to be reported as a vulnerability and then corrected.

      The problem is that you can trigger a URL in Jenkins with ";jsessionid=xxx" (only "available" in Tomcat).

      This ticket is about adding a "second" level of protection there (think defense in depth) by forcing the session to be tracked as a cookie (from default which is cookie+url).

          [JENKINS-61738] Session hijacking protection hardening

          Wadeck Follonier created issue -
          Wadeck Follonier made changes -
          Remote Link New: This issue links to "#4611 in core (Web Link)" [ 24808 ]
          Wadeck Follonier made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Wadeck Follonier made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Wadeck Follonier made changes -
          Assignee New: Wadeck Follonier [ wfollonier ]
          Daniel Beck made changes -
          Released As New: Jenkins 2.234
          Resolution New: Fixed [ 1 ]
          Status Original: In Review [ 10005 ] New: Resolved [ 5 ]

            wfollonier Wadeck Follonier
            wfollonier Wadeck Follonier
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: