CVE-2014-2060 : The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Published 2014-10-17 15:55:06

Updated 2016-06-13 23:34:06

Source Debian GNU/Linux

View at NVD, CVE.org

Threat overview for CVE-2014-2060

Top countries where our scanners detected CVE-2014-2060

Top open port discovered on systems with this issue 8088

IPs affected by CVE-2014-2060 1,674

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2014-2060!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Probability of exploitation activity in the next 30 days: 0.18%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 54 % EPSS Score History EPSS FAQ

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

Jenkins Security Advisory 2014-02-14 - Security Advisories - Jenkins Wiki
Vendor Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2014/02/21/2

oss-security - Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)

CVEs referencing this url

Jenkins » Jenkins
Versions up to, including, (<=) 1.550
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
Matching versions
Jenkins » Jenkins » LTS Edition
Versions up to, including, (<=) 1.532.1
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Matching versions