cve-2014-9634
Vulnerability from cvelistv5
Published
2017-09-12 14:00
Modified
2024-08-06 13:47
Severity
Summary
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
References
| Source | URL | Tags |
|---|---|---|
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2015/01/22/3 | Mailing List, Third Party Advisory |
| secalert@redhat.com | http://www.securityfocus.com/bid/72054 | Third Party Advisory, VDB Entry |
| secalert@redhat.com | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682 | Third Party Advisory |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1185148 | Issue Tracking, Third Party Advisory, VDB Entry |
| secalert@redhat.com | https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710 | Patch, Third Party Advisory |
| secalert@redhat.com | https://issues.jenkins-ci.org/browse/JENKINS-25019 | Issue Tracking, Vendor Advisory |
| secalert@redhat.com | https://jenkins.io/changelog-old/ | Release Notes, Vendor Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:47:41.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150122 Re: ping on CVE Request for jenkins-tomcat: Secure and HttpOnly flags are not, set for cookies with Jenkins on Tomcat",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/01/22/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185148"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jenkins.io/changelog-old/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.jenkins-ci.org/browse/JENKINS-25019"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710"
},
{
"name": "72054",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72054"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-12T13:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20150122 Re: ping on CVE Request for jenkins-tomcat: Secure and HttpOnly flags are not, set for cookies with Jenkins on Tomcat",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/01/22/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185148"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jenkins.io/changelog-old/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.jenkins-ci.org/browse/JENKINS-25019"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710"
},
{
"name": "72054",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72054"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-9634",
"datePublished": "2017-09-12T14:00:00",
"dateReserved": "2015-01-22T00:00:00",
"dateUpdated": "2024-08-06T13:47:41.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2014-9634\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2017-09-12T14:29:00.253\",\"lastModified\":\"2017-09-21T18:47:39.513\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.\"},{\"lang\":\"es\",\"value\":\"Jenkins en versiones anteriores a la 1.586 no establece el indicador \\\"secure\\\" cuando se ejecuta en Tomcat 7.0.41 o posterior, lo que facilita que los atacantes remotos capturen cookies interceptando su transmisi\u00f3n en una sesi\u00f3n HTML.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-254\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.585\",\"matchCriteriaId\":\"C1F11E15-FD3D-48AC-9BEA-4E2730551F48\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA8A7333-B4C3-4876-AE01-62F2FD315504\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"92993E23-D805-407B-8B87-11CEEE8B212F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A11BD74-305C-41E2-95B1-5008EEF5FA5F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"595442D0-9DB7-475A-AE30-8535B70E122E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B0BA92A-0BD3-4CE4-9465-95E949104BAC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C947E549-2459-4AFB-84A7-36BDA30B5F29\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67A0EA46-5AEA-4D0A-B89E-6560FA10EC08\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8E9453E-BC9B-4F77-85FA-BA15AC55C245\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7EF0518-73F9-47DB-8946-A8334936BEFF\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"95AA8778-7833-4572-A71B-5FD89938CE94\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"242E47CE-EF69-4F8F-AB40-5AF2811674CE\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A225D4F7-174E-47C3-8390-C6FA28DB5A9A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CDA1555C-E55A-4E14-B786-BFEE3F09220B\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6BAC42AE-B82A-4ABF-9519-B2D97D925707\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8075E9A-DA7F-4A0B-8B4D-0CD951369111\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"335A5320-6086-4B45-9903-82F6F92A584F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"46B33408-C2E2-4E7C-9334-6AB98F13468C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F036676-9EFB-4A92-828E-A38905D594E2\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E9728EE8-6029-4DF3-942E-E4ACC09111A3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62DBB843-288C-4060-8777-6CDCF1860D29\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"89B87EB5-4902-4C2A-878A-45185F7D0FA1\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C0596E6C-9ACE-4106-A2FF-BED7967C323F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8F7158DC-966B-4508-8600-40E3E9D3D0DF\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A190FE0D-86C1-49EE-BDAE-5879C32BDC92\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA20F45F-01A2-43DD-9731-DFF54E31719F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C7A728B-59DB-4EDE-8929-C91F4C410902\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"26889291-3280-4524-8F4A-9B22FF4600C8\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E4CAEBD-0F38-4892-9D0B-9D7392E0BCC3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61C4DA00-E47C-47BE-856C-7E0D4B0F9DAA\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"41FF234B-A9AD-4C51-8E9E-939DC8ECB64A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4FA0E2FD-84FB-4691-B4B5-12A381CB091E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"69CC7A75-8EA2-4F62-AF84-CE60C76F9F7C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4CA59311-0095-49D7-BDF2-E72F847F3F09\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1E06587-2543-47A9-9E02-4BE7B0190065\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2015/01/22/3\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/72054\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1185148\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://issues.jenkins-ci.org/browse/JENKINS-25019\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://jenkins.io/changelog-old/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}"
}
}
Loading...