Me and my colleague (http://reply-to-all.blogspot.ru/) performed research and figured out vulnerability in Jenkins CI and Hudson CI software. Versions of Jenkins prior to 1.534 and versions of Hudson prior to 3.0.0 are vulnerable as they use Winstone servlet engine in default installation. Winstone servlet engine implements weak algorithm for generating session identifiers. Remote attacker could predict valid session identifiers to hijack user sessions and gain unauthorized access to the application running above Winstone. Valid login and password are not necessary for intruder to perform such attack.

To cope with this issue the solution is to use Jenkins version 1.534 and above, Hudson version 3.0.0 and above which use Jetty by default. Another possible solution is to run application server software that use robust session id generation algorithm like Tomcat or Jetty.

We reported our findings to Jenkins CI community.