Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2014-9635

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Published

2017-09-12T14:29:00.300

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-254

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jenkins	jenkins	≤ 1.585	Yes
Application	apache	tomcat	7.0.41	No
Application	apache	tomcat	7.0.42	No
Application	apache	tomcat	7.0.43	No
Application	apache	tomcat	7.0.44	No
Application	apache	tomcat	7.0.45	No
Application	apache	tomcat	7.0.46	No
Application	apache	tomcat	7.0.47	No
Application	apache	tomcat	7.0.48	No
Application	apache	tomcat	7.0.49	No
Application	apache	tomcat	7.0.50	No
Application	apache	tomcat	7.0.51	No
Application	apache	tomcat	7.0.54	No
Application	apache	tomcat	7.0.55	No
Application	apache	tomcat	7.0.56	No
Application	apache	tomcat	7.0.57	No
Application	apache	tomcat	7.0.58	No
Application	apache	tomcat	7.0.59	No
Application	apache	tomcat	7.0.60	No
Application	apache	tomcat	7.0.61	No
Application	apache	tomcat	7.0.62	No
Application	apache	tomcat	7.0.63	No
Application	apache	tomcat	7.0.64	No
Application	apache	tomcat	7.0.65	No
Application	apache	tomcat	7.0.66	No
Application	apache	tomcat	7.0.67	No
Application	apache	tomcat	7.0.68	No
Application	apache	tomcat	7.0.69	No
Application	apache	tomcat	7.0.70	No
Application	apache	tomcat	7.0.71	No
Application	apache	tomcat	7.0.72	No
Application	apache	tomcat	7.0.73	No
Application	apache	tomcat	7.0.74	No
Application	apache	tomcat	7.0.75	No
Application	apache	tomcat	7.0.76	No
Application	apache	tomcat	7.0.77	No
Application	apache	tomcat	7.0.78	No
Application	apache	tomcat	7.0.79	No
Application	apache	tomcat	7.0.80	No
Application	apache	tomcat	7.0.81	No

References

http://www.openwall.com/lists/oss-security/2015/01/22/3 Mailing List, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/72054 Third Party Advisory, VDB Entry ([email protected])
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682 Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1185151 Issue Tracking, Third Party Advisory, VDB Entry ([email protected])
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710 Patch, Third Party Advisory ([email protected])
https://issues.jenkins-ci.org/browse/JENKINS-25019 Issue Tracking, Vendor Advisory ([email protected])
https://jenkins.io/changelog-old/ Release Notes, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2015/01/22/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/72054 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=1185151 Issue Tracking, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://issues.jenkins-ci.org/browse/JENKINS-25019 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jenkins.io/changelog-old/ Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)