Описание
Jenkins HttpOnly flag not Set for session cookies
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2014-9635
- https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
- https://bugzilla.redhat.com/show_bug.cgi?id=1185151
- https://issues.jenkins-ci.org/browse/JENKINS-25019
- https://jenkins.io/changelog-old
- http://www.openwall.com/lists/oss-security/2015/01/22/3
- http://www.securityfocus.com/bid/72054
Пакеты
org.jenkins-ci.main:jenkins-core
< 1.586
1.586
Связанные уязвимости
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie he ...