Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61738

Session hijacking protection hardening

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:
    • Released As:
      Jenkins 2.234

      Description

      After the recent SECURITY-1774 published in https://jenkins.io/security/advisory/2020-03-25/, we are preventing the usage of semicolon in URL. In Jenkins they could potentially have a legitimate (but not really recommended) usage when included in item names.

      If you need to activate the escape hatch "jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath", and you are using a SecurityRealm that does not invalidate the session after authentication, you are vulnerable to a session hijacking attack. Of course, the SecurityRealm issue has to be reported as a vulnerability and then corrected.

      The problem is that you can trigger a URL in Jenkins with ";jsessionid=xxx" (only "available" in Tomcat).

      This ticket is about adding a "second" level of protection there (think defense in depth) by forcing the session to be tracked as a cookie (from default which is cookie+url).

        Attachments

          Issue Links

            Activity

            There are no comments yet on this issue.

              People

              • Assignee:
                wfollonier Wadeck Follonier
                Reporter:
                wfollonier Wadeck Follonier
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: