CVE-2014-9634

Опубликовано: 12 сент. 2017

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Ссылки

http://www.openwall.com/lists/oss-security/2015/01/22/3
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/72054
Third Party Advisory
VDB Entry
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1185148
Issue Tracking
Third Party Advisory
VDB Entry
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
Patch
Third Party Advisory
https://issues.jenkins-ci.org/browse/JENKINS-25019
Issue Tracking
Vendor Advisory
https://jenkins.io/changelog-old/
Release Notes
Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/01/22/3
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/72054
Third Party Advisory
VDB Entry
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1185148
Issue Tracking
Third Party Advisory
VDB Entry
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
Patch
Third Party Advisory
https://issues.jenkins-ci.org/browse/JENKINS-25019
Issue Tracking
Vendor Advisory
https://jenkins.io/changelog-old/
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*

Версия до 1.585 (включая)

Одно из

cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*

EPSS

Процентиль: 51%

0.00282

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-254

Связанные уязвимости

CVE-2014-9634

CVSS3: 5.3

ubuntu

почти 8 лет назад

CVE-2014-9634

redhat

больше 10 лет назад

CVE-2014-9634

CVSS3: 5.3

debian

почти 8 лет назад

Jenkins before 1.586 does not set the secure flag on session cookies w ...

GHSA-g7cf-wg27-qw87

CVSS3: 5.3

github

около 3 лет назад

Jenkins secure flag not set on session cookies

EPSS

Процентиль: 51%

0.00282

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-254