CVE-2014-9634 : Jenkins before 1.586 does not set the secure flag on session cookies when run on

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Published 2017-09-12 14:29:00

Updated 2017-09-21 18:47:40

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2014-9634

Jenkins » Jenkins
Versions up to, including, (<=) 1.585
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apache » Tomcat » Version: 7.0.41
When used together with: Apache » Tomcat » Version: 7.0.42
When used together with: Apache » Tomcat » Version: 7.0.43
When used together with: Apache » Tomcat » Version: 7.0.44
When used together with: Apache » Tomcat » Version: 7.0.45
When used together with: Apache » Tomcat » Version: 7.0.46
When used together with: Apache » Tomcat » Version: 7.0.47
When used together with: Apache » Tomcat » Version: 7.0.48
When used together with: Apache » Tomcat » Version: 7.0.49
When used together with: Apache » Tomcat » Version: 7.0.50
When used together with: Apache » Tomcat » Version: 7.0.51
When used together with: Apache » Tomcat » Version: 7.0.54
When used together with: Apache » Tomcat » Version: 7.0.55
When used together with: Apache » Tomcat » Version: 7.0.56
When used together with: Apache » Tomcat » Version: 7.0.57
When used together with: Apache » Tomcat » Version: 7.0.58
When used together with: Apache » Tomcat » Version: 7.0.59
When used together with: Apache » Tomcat » Version: 7.0.60
When used together with: Apache » Tomcat » Version: 7.0.61
When used together with: Apache » Tomcat » Version: 7.0.62
When used together with: Apache » Tomcat » Version: 7.0.63
When used together with: Apache » Tomcat » Version: 7.0.64
When used together with: Apache » Tomcat » Version: 7.0.65
When used together with: Apache » Tomcat » Version: 7.0.66
When used together with: Apache » Tomcat » Version: 7.0.67
When used together with: Apache » Tomcat » Version: 7.0.68
When used together with: Apache » Tomcat » Version: 7.0.69
When used together with: Apache » Tomcat » Version: 7.0.70
When used together with: Apache » Tomcat » Version: 7.0.71
When used together with: Apache » Tomcat » Version: 7.0.72
When used together with: Apache » Tomcat » Version: 7.0.73
When used together with: Apache » Tomcat » Version: 7.0.74
When used together with: Apache » Tomcat » Version: 7.0.75
When used together with: Apache » Tomcat » Version: 7.0.76
When used together with: Apache » Tomcat » Version: 7.0.77
When used together with: Apache » Tomcat » Version: 7.0.78
When used together with: Apache » Tomcat » Version: 7.0.79
When used together with: Apache » Tomcat » Version: 7.0.80
When used together with: Apache » Tomcat » Version: 7.0.81

Exploit prediction scoring system (EPSS) score for CVE-2014-9634

EPSS FAQ

0.28%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 49 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-9634

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2014-9634

CWE-254

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-9634

https://jenkins.io/changelog-old/

Changelog Archives
Release Notes;Vendor Advisory

CVEs referencing this url
https://issues.jenkins-ci.org/browse/JENKINS-25019

[JENKINS-25019] updateSecureSessionFlag fails to set secure cookie flag - Jenkins JIRA
Issue Tracking;Vendor Advisory

CVEs referencing this url
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682

#769682 - jenkins-tomcat: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat - Debian Bug report logs
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/72054

Jenkins Session Cookie Multiple Security Bypass Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2015/01/22/3

oss-security - Re: ping on CVE Request for jenkins-tomcat: Secure and HttpOnly flags are not, set for cookies with Jenkins on Tomcat
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710

[FIXED JENKINS-25019] · jenkinsci/jenkins@582128b · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1185148

1185148 – (CVE-2014-9634) CVE-2014-9634 Jenkins on Tomcat: failure to set secure flag on cookies
Issue Tracking;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2014-9634

Products affected by CVE-2014-9634

Exploit prediction scoring system (EPSS) score for CVE-2014-9634

CVSS scores for CVE-2014-9634

CWE ids for CVE-2014-9634

References for CVE-2014-9634