CVE-2014-9635
MEDIUM5.3EPSS 0.60%Jenkins HttpOnly flag not Set for session cookies
發布日:2022/5/17修改日:2024/12/5
描述
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
受影響套件(1)
- Maven/org.jenkins-ci.main:jenkins-corefrom 0, < 1.586
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-9635
- WEBhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1185151
- WEBhttps://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
- WEBhttps://issues.jenkins-ci.org/browse/JENKINS-25019
- WEBhttps://jenkins.io/changelog-old
- WEBhttp://www.openwall.com/lists/oss-security/2015/01/22/3
- WEBhttp://www.securityfocus.com/bid/72054