Description

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Remediation

References

http://www.openwall.com/lists/oss-security/2015/01/22/3

http://www.securityfocus.com/bid/72054

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682

https://bugzilla.redhat.com/show_bug.cgi?id=1185148

https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710

https://issues.jenkins-ci.org/browse/JENKINS-25019

https://jenkins.io/changelog-old/

Related Vulnerabilities

CVE-2023-49733 Vulnerability in maven package org.apache.cocoon:cocoon-core

CVE-2019-13237 Vulnerability in maven package org.opencms:opencms-core

CVE-2018-1000873 Vulnerability in maven package com.fasterxml.jackson.datatype:jackson-datatype-jsr310

CVE-2020-28482 Vulnerability in npm package fastify-csrf

CVE-2022-47105 Vulnerability in maven package org.jeecgframework.boot:jeecg-module-system

Severity

Medium

Classification

CWE-254 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory VDB Entry Issue Tracking Patch Vendor Advisory Release Notes