Описание
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Ссылки
- Mailing ListThird Party Advisory
- Vendor Advisory
- Mailing ListThird Party Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.176.3 (включая)Версия до 2.196 (включая)
Одно из
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
EPSS
Процентиль: 99%
0.81459
Высокий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 4.4
redhat
больше 6 лет назад
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
CVSS3: 5.4
debian
больше 6 лет назад
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value o ...
CVSS3: 4.3
github
больше 3 лет назад
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
EPSS
Процентиль: 99%
0.81459
Высокий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79