CVE-2014-9635 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <1.586

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00335 pctl0.55657

Details

Jenkins HttpOnly flag not Set for session cookies Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Metadata

Created: 2022-05-17T00:50:19Z
Modified: 2024-01-30T23:16:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7f6w-fhmr-j8hq/GHSA-7f6w-fhmr-j8hq.json
CWE IDs: []
Alternative ID: GHSA-7f6w-fhmr-j8hq
Finding: F042
Auto approve: 1