CVE-2014-9635
MEDIUMJenkins < 1.586 - Session Cookie Information Disclosure via Missing HttpOnly Flag
Title source: llmDescription
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/01/22/3
Issue Tracking, Vendor Advisory x_refsource_misc
https://issues.jenkins-ci.org/browse/JENKINS-25019
Issue Tracking, Third Party Advisory, VDB Entry x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1185151
Third Party Advisory x_refsource_confirm
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
Patch, Third Party Advisory x_refsource_confirm
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/72054
Release Notes, Vendor Advisory x_refsource_confirm
https://jenkins.io/changelog-old/
Scores
CVSS v3
5.3
EPSS
0.0060
EPSS Percentile
69.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-254
Status
published
Products (2)
jenkins/jenkins
< 1.585
org.jenkins-ci.main/jenkins-core
0 - 1.586Maven
Published
Sep 12, 2017
Tracked Since
Feb 18, 2026