CVE-2014-9634
MEDIUM5.3EPSS 0.68%Jenkins secure flag not set on session cookies
發布日:2022/5/17修改日:2024/12/5
描述
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
受影響套件(1)
- Maven/org.jenkins-ci.main:jenkins-corefrom 0, < 1.586
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-9634
- WEBhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1185148
- WEBhttps://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
- WEBhttps://issues.jenkins-ci.org/browse/JENKINS-25019
- WEBhttps://jenkins.io/changelog-old
- WEBhttp://www.openwall.com/lists/oss-security/2015/01/22/3
- WEBhttp://www.securityfocus.com/bid/72054