Description

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Remediation

References

http://www.openwall.com/lists/oss-security/2015/01/22/3

http://www.securityfocus.com/bid/72054

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682

https://bugzilla.redhat.com/show_bug.cgi?id=1185151

https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710

https://issues.jenkins-ci.org/browse/JENKINS-25019

https://jenkins.io/changelog-old/

Related Vulnerabilities

CVE-2023-25766 Vulnerability in maven package org.jenkins-ci.plugins:azure-credentials

CVE-2019-10768 Vulnerability in maven package org.webjars.bower:angular

CVE-2019-0219 Vulnerability in npm package cordova-plugin-inappbrowser

CVE-2022-41878 Vulnerability in npm package parse-server

CVE-2021-28169 Vulnerability in maven package org.eclipse.jetty:jetty-servlets

Severity

Medium

Classification

CWE-254 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory VDB Entry Issue Tracking Patch Vendor Advisory Release Notes