CVE-2014-9635: Jenkins HttpOnly flag not Set for session cookies
(updated )
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
References
- www.openwall.com/lists/oss-security/2015/01/22/3
- www.securityfocus.com/bid/72054
- bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
- bugzilla.redhat.com/show_bug.cgi?id=1185151
- github.com/advisories/GHSA-7f6w-fhmr-j8hq
- github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
- issues.jenkins-ci.org/browse/JENKINS-25019
- jenkins.io/changelog-old/
- nvd.nist.gov/vuln/detail/CVE-2014-9635
Code Behaviors & Features
Detect and mitigate CVE-2014-9635 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →