CVE-2014-9634
MEDIUMJenkins < 1.586 - Session Cookie Secure Flag Not Set
Title source: llmDescription
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/01/22/3
Issue Tracking, Third Party Advisory, VDB Entry x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1185148
Release Notes, Vendor Advisory x_refsource_confirm
https://jenkins.io/changelog-old/
Third Party Advisory x_refsource_confirm
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
Issue Tracking, Vendor Advisory x_refsource_confirm
https://issues.jenkins-ci.org/browse/JENKINS-25019
Patch, Third Party Advisory x_refsource_confirm
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/72054
Scores
CVSS v3
5.3
EPSS
0.0068
EPSS Percentile
71.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-254
Status
published
Products (2)
jenkins/jenkins
< 1.585
org.jenkins-ci.main/jenkins-core
0 - 1.586Maven
Published
Sep 12, 2017
Tracked Since
Feb 18, 2026