CVE-2014-9635
Vulnerability from cvelistv5
Published
2017-09-12 14:00
Modified
2024-08-06 13:47
Severity
Summary
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
References
Source | URL | Tags |
---|---|---|
secalert@redhat.com | http://www.openwall.com/lists/oss-security/2015/01/22/3 | Mailing List, Third Party Advisory |
secalert@redhat.com | http://www.securityfocus.com/bid/72054 | Third Party Advisory, VDB Entry |
secalert@redhat.com | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682 | Third Party Advisory |
secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1185151 | Issue Tracking, Third Party Advisory, VDB Entry |
secalert@redhat.com | https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710 | Patch, Third Party Advisory |
secalert@redhat.com | https://issues.jenkins-ci.org/browse/JENKINS-25019 | Issue Tracking, Vendor Advisory |
secalert@redhat.com | https://jenkins.io/changelog-old/ | Release Notes, Vendor Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T13:47:41.862Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[oss-security] 20150122 Re: ping on CVE Request for jenkins-tomcat: Secure and HttpOnly flags are not, set for cookies with Jenkins on Tomcat", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185151" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://jenkins.io/changelog-old/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710" }, { "name": "72054", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/72054" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-01-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-09-12T13:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "[oss-security] 20150122 Re: ping on CVE Request for jenkins-tomcat: Secure and HttpOnly flags are not, set for cookies with Jenkins on Tomcat", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3" }, { "tags": [ "x_refsource_MISC" ], "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185151" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://jenkins.io/changelog-old/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710" }, { "name": "72054", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/72054" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-9635", "datePublished": "2017-09-12T14:00:00", "dateReserved": "2015-01-22T00:00:00", "dateUpdated": "2024-08-06T13:47:41.862Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2014-9635\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2017-09-12T14:29:00.300\",\"lastModified\":\"2017-09-21T18:47:08.483\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.\"},{\"lang\":\"es\",\"value\":\"Jenkins en versiones anteriores a la 1.586 no establece el indicador \\\"HttpOnly\\\" en un encabezado Set-Cookie para cookies de sesi\u00f3n cuando se ejecuta en Tomcat 7.0.41 o siguientes, lo que facilita que los atacantes remotos obtengan informaci\u00f3n potencialmente sensible mediante el acceso del script a las cookies.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-254\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.585\",\"matchCriteriaId\":\"C1F11E15-FD3D-48AC-9BEA-4E2730551F48\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA8A7333-B4C3-4876-AE01-62F2FD315504\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"92993E23-D805-407B-8B87-11CEEE8B212F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A11BD74-305C-41E2-95B1-5008EEF5FA5F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"595442D0-9DB7-475A-AE30-8535B70E122E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B0BA92A-0BD3-4CE4-9465-95E949104BAC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C947E549-2459-4AFB-84A7-36BDA30B5F29\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67A0EA46-5AEA-4D0A-B89E-6560FA10EC08\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8E9453E-BC9B-4F77-85FA-BA15AC55C245\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7EF0518-73F9-47DB-8946-A8334936BEFF\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"95AA8778-7833-4572-A71B-5FD89938CE94\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"242E47CE-EF69-4F8F-AB40-5AF2811674CE\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A225D4F7-174E-47C3-8390-C6FA28DB5A9A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CDA1555C-E55A-4E14-B786-BFEE3F09220B\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6BAC42AE-B82A-4ABF-9519-B2D97D925707\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8075E9A-DA7F-4A0B-8B4D-0CD951369111\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"335A5320-6086-4B45-9903-82F6F92A584F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"46B33408-C2E2-4E7C-9334-6AB98F13468C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F036676-9EFB-4A92-828E-A38905D594E2\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E9728EE8-6029-4DF3-942E-E4ACC09111A3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62DBB843-288C-4060-8777-6CDCF1860D29\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"89B87EB5-4902-4C2A-878A-45185F7D0FA1\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C0596E6C-9ACE-4106-A2FF-BED7967C323F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8F7158DC-966B-4508-8600-40E3E9D3D0DF\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A190FE0D-86C1-49EE-BDAE-5879C32BDC92\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA20F45F-01A2-43DD-9731-DFF54E31719F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C7A728B-59DB-4EDE-8929-C91F4C410902\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"26889291-3280-4524-8F4A-9B22FF4600C8\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E4CAEBD-0F38-4892-9D0B-9D7392E0BCC3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61C4DA00-E47C-47BE-856C-7E0D4B0F9DAA\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"41FF234B-A9AD-4C51-8E9E-939DC8ECB64A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4FA0E2FD-84FB-4691-B4B5-12A381CB091E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"69CC7A75-8EA2-4F62-AF84-CE60C76F9F7C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4CA59311-0095-49D7-BDF2-E72F847F3F09\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1E06587-2543-47A9-9E02-4BE7B0190065\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2015/01/22/3\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/72054\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1185151\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://issues.jenkins-ci.org/browse/JENKINS-25019\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://jenkins.io/changelog-old/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}" } }
Loading...