Description
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Remediation
References
https://jenkins.io/changelog-old/
https://issues.jenkins-ci.org/browse/JENKINS-25019
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
https://bugzilla.redhat.com/show_bug.cgi?id=1185151
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
http://www.securityfocus.com/bid/72054
http://www.openwall.com/lists/oss-security/2015/01/22/3
Related Vulnerabilities
CVE-2018-1000009 Vulnerability in maven package org.jvnet.hudson.plugins:checkstyle
CVE-2021-42340 Vulnerability in maven package org.apache.tomcat:tomcat-websocket
CVE-2019-9843 Vulnerability in maven package com.diffplug.spotless:spotless-maven-plugin
CVE-2023-30547 Vulnerability in npm package vm2
CVE-2023-0846 Vulnerability in maven package org.opennms:opennms-webapp