| After the recent SECURITY-1774 published in https://jenkins.io/security/advisory/2020-03-25/, we are preventing the usage of semicolon in URL. In Jenkins they could potentially have a legitimate (but not really recommended) usage when included in item names. If you need to activate the escape hatch "jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath", and you are using a SecurityRealm that does not invalidate the session after authentication, you are vulnerable to a session hijacking attack. Of course, the SecurityRealm issue has to be reported as a vulnerability and then corrected. The problem is that you can trigger a URL in Jenkins with ";jsessionid=xxx" (only "available" in Tomcat). This ticket is about adding a "second" level of protection there (think defense in depth) by forcing the session to be tracked as a cookie (from default which is cookie+url). |
