Description

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Remediation

References

https://jenkins.io/changelog-old/

https://issues.jenkins-ci.org/browse/JENKINS-25019

https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710

https://bugzilla.redhat.com/show_bug.cgi?id=1185148

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682

http://www.securityfocus.com/bid/72054

http://www.openwall.com/lists/oss-security/2015/01/22/3

Related Vulnerabilities

CVE-2022-23944 Vulnerability in maven package org.apache.shenyu:shenyu-common

CVE-2022-29567 Vulnerability in maven package com.vaadin:vaadin-grid-flow

CVE-2017-7536 Vulnerability in maven package org.hibernate:hibernate-validator

CVE-2019-16303 Vulnerability in npm package generator-jhipster-kotlin

CVE-2019-10325 Vulnerability in maven package io.jenkins.plugins:warnings-ng

Severity

Medium

Classification

CWE-254 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Release Notes Vendor Advisory Issue Tracking Patch Third Party Advisory VDB Entry Mailing List