CVE-2014-9635

Опубликовано: 12 сент. 2017

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Ссылки

http://www.openwall.com/lists/oss-security/2015/01/22/3
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/72054
Third Party Advisory
VDB Entry
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1185151
Issue Tracking
Third Party Advisory
VDB Entry
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
Patch
Third Party Advisory
https://issues.jenkins-ci.org/browse/JENKINS-25019
Issue Tracking
Vendor Advisory
https://jenkins.io/changelog-old/
Release Notes
Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/01/22/3
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/72054
Third Party Advisory
VDB Entry
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1185151
Issue Tracking
Third Party Advisory
VDB Entry
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
Patch
Third Party Advisory
https://issues.jenkins-ci.org/browse/JENKINS-25019
Issue Tracking
Vendor Advisory
https://jenkins.io/changelog-old/
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*

Версия до 1.585 (включая)

Одно из

cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*

EPSS

Процентиль: 69%

0.00598

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-254

Связанные уязвимости

CVE-2014-9635

CVSS3: 5.3

ubuntu

около 8 лет назад

CVE-2014-9635

redhat

почти 11 лет назад

CVE-2014-9635

CVSS3: 5.3

debian

около 8 лет назад

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie he ...

GHSA-7f6w-fhmr-j8hq

CVSS3: 5.3

github

больше 3 лет назад

Jenkins HttpOnly flag not Set for session cookies

EPSS

Процентиль: 69%

0.00598

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-254