GHSA-7f6w-fhmr-j8hq, CVE-2014-9635
maven/org.jenkins-ci.main/jenkins-core
Jenkins HttpOnly flag not Set for session cookies
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
All versions before 1.586
Upgrade to version 1.586 or above.
2024-01-31
source |