CVE-2014-9635 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Description

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Remediation

References

https://jenkins.io/changelog-old/

https://issues.jenkins-ci.org/browse/JENKINS-25019

https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710

https://bugzilla.redhat.com/show_bug.cgi?id=1185151

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682

http://www.securityfocus.com/bid/72054

http://www.openwall.com/lists/oss-security/2015/01/22/3

Related Vulnerabilities

CVE-2023-3635 Vulnerability in maven package com.squareup.okio:okio-jvm

CVE-2018-1000665 Vulnerability in maven package org.apache.geronimo.plugins:dojo

CVE-2023-30542 Vulnerability in npm package @openzeppelin/contracts

CVE-2023-28679 Vulnerability in maven package javagh.jenkins:mashup-portlets-plugin

CVE-2018-20676 Vulnerability in maven package org.webjars.bower:bootstrap

Severity

Medium

Classification

CWE-254 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N