Описание
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Пакеты
org.jenkins-ci.main:jenkins-core
<= 2.176.3
2.176.4
org.jenkins-ci.main:jenkins-core
>= 2.177, <= 2.196
2.197
Связанные уязвимости
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value o ...