Vulnerability Details : CVE-2014-9635
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Products affected by CVE-2014-9635
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-9635
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-9635
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2014-9635
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9635
-
https://jenkins.io/changelog-old/
Changelog ArchivesRelease Notes;Vendor Advisory
-
https://issues.jenkins-ci.org/browse/JENKINS-25019
[JENKINS-25019] updateSecureSessionFlag fails to set secure cookie flag - Jenkins JIRAIssue Tracking;Vendor Advisory
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
#769682 - jenkins-tomcat: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat - Debian Bug report logsThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1185151
1185151 – (CVE-2014-9635) CVE-2014-9635 Jenkins on Tomcat: failure to set httponly flag on cookiesIssue Tracking;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/72054
Jenkins Session Cookie Multiple Security Bypass VulnerabilitiesThird Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2015/01/22/3
oss-security - Re: ping on CVE Request for jenkins-tomcat: Secure and HttpOnly flags are not, set for cookies with Jenkins on TomcatMailing List;Third Party Advisory
-
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
[FIXED JENKINS-25019] · jenkinsci/jenkins@582128b · GitHubPatch;Third Party Advisory
Jump to