CVE-2014-9635
MEDIUM5.3EPSS 0.60%Jenkins HttpOnly flag not Set for session cookies
Published: 5/17/2022Modified: 12/5/2024
Description
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Affected packages (1)
- Maven/org.jenkins-ci.main:jenkins-corefrom 0, < 1.586
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-9635
- WEBhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1185151
- WEBhttps://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
- WEBhttps://issues.jenkins-ci.org/browse/JENKINS-25019
- WEBhttps://jenkins.io/changelog-old
- WEBhttp://www.openwall.com/lists/oss-security/2015/01/22/3
- WEBhttp://www.securityfocus.com/bid/72054