Moderate severityNVD Advisory· Published Oct 17, 2014· Updated May 6, 2026
CVE-2014-2066
CVE-2014-2066
Description
Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | >= 1.533, < 1.551 | 1.551 |
org.jenkins-ci.main:jenkins-coreMaven | < 1.532.2 | 1.532.2 |
Affected products
2Patches
18ac74c350779[FIXED SECURITY-75] Invalidate session after login to avoid session fixation
1 file changed · +1 −0
core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java+1 −0 modified@@ -85,6 +85,7 @@ protected void onSuccessfulAuthentication(HttpServletRequest request, HttpServle // HttpSessionContextIntegrationFilter stores the updated SecurityContext object into this session later // (either when a redirect is issued, via its HttpResponseWrapper, or when the execution returns to its // doFilter method. + request.getSession().invalidate(); request.getSession(); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/jenkinsci/jenkins/commit/8ac74c350779921598f9d5edfed39dd35de8842anvdPatchWEB
- github.com/advisories/GHSA-8jfx-h6q2-v4g3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-2066ghsaADVISORY
- wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14nvdVendor AdvisoryWEB
- www.openwall.com/lists/oss-security/2014/02/21/2nvdWEB
News mentions
0No linked articles in our index yet.