Vulnerability Details : CVE-2014-9634
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
Products affected by CVE-2014-9634
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-9634
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-9634
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2014-9634
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9634
-
https://jenkins.io/changelog-old/
Changelog ArchivesRelease Notes;Vendor Advisory
-
https://issues.jenkins-ci.org/browse/JENKINS-25019
[JENKINS-25019] updateSecureSessionFlag fails to set secure cookie flag - Jenkins JIRAIssue Tracking;Vendor Advisory
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
#769682 - jenkins-tomcat: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat - Debian Bug report logsThird Party Advisory
-
http://www.securityfocus.com/bid/72054
Jenkins Session Cookie Multiple Security Bypass VulnerabilitiesThird Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2015/01/22/3
oss-security - Re: ping on CVE Request for jenkins-tomcat: Secure and HttpOnly flags are not, set for cookies with Jenkins on TomcatMailing List;Third Party Advisory
-
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
[FIXED JENKINS-25019] · jenkinsci/jenkins@582128b · GitHubPatch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1185148
1185148 – (CVE-2014-9634) CVE-2014-9634 Jenkins on Tomcat: failure to set secure flag on cookiesIssue Tracking;Third Party Advisory;VDB Entry
Jump to