Jenkins HttpOnly flag not Set for session cookies

GHSA-7f6w-fhmr-j8hq · CVE-2014-9635

Published May 17, 2022 · Modified Dec 5, 2024

Description

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-9635
WEB https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
WEB https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1185151
WEB https://issues.jenkins-ci.org/browse/JENKINS-25019
WEB https://jenkins.io/changelog-old
WEB http://www.openwall.com/lists/oss-security/2015/01/22/3
WEB http://www.securityfocus.com/bid/72054

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes