CVE-2014-9635

Jenkins HttpOnly flag not Set for session cookies in maven/org.jenkins-ci.main/jenkins-core

Identifiers

GHSA-7f6w-fhmr-j8hq, CVE-2014-9635

Package Slug

maven/org.jenkins-ci.main/jenkins-core

Vulnerability

Jenkins HttpOnly flag not Set for session cookies

Description

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Affected Versions

All versions before 1.586

Solution

Upgrade to version 1.586 or above.

Last Modified

2024-01-31

source