CVE-2014-9634

medium

Description

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

References

https://jenkins.io/changelog-old/

https://issues.jenkins-ci.org/browse/JENKINS-25019

https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710

https://bugzilla.redhat.com/show_bug.cgi?id=1185148

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682

http://www.securityfocus.com/bid/72054

http://www.openwall.com/lists/oss-security/2015/01/22/3

Details

Source: Mitre, NVD

Published: 2017-09-12

Updated: 2017-09-21

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N