CVE-2019-10405 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.176.4 || >=2.177 <2.197

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.78751 pctl0.99013

Details

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

Metadata

Created: 2022-05-24T22:00:43Z
Modified: 2022-06-28T16:17:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-47wc-p5cp-w7pw/GHSA-47wc-p5cp-w7pw.json
CWE IDs: ["CWE-200", "CWE-79"]
Alternative ID: GHSA-47wc-p5cp-w7pw
Finding: F017
Auto approve: 1