Jenkins secure flag not set on session cookies

GHSA-g7cf-wg27-qw87 · CVE-2014-9634

Published May 17, 2022 · Modified Dec 5, 2024

Description

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-9634
WEB https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
WEB https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1185148
WEB https://issues.jenkins-ci.org/browse/JENKINS-25019
WEB https://jenkins.io/changelog-old
WEB http://www.openwall.com/lists/oss-security/2015/01/22/3
WEB http://www.securityfocus.com/bid/72054

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes