Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
{ "cpes": [ "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*" ], "severity": "Medium" }