[MAVEN:GHSA-G7CF-WG27-QW87] Jenkins secure flag not set on session cookies

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Package	Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core	< 1.586

Package	Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core	= 1.586

ID: MAVEN:GHSA-G7CF-WG27-QW87
Severity: moderate
URL: https://github.com/advisories/GHSA-g7cf-wg27-qw87
Published: 2022-05-17T00:50:18
(2 years ago)
Modified: 2024-01-30T23:18:43
(7 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2014-9634
			https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
			https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
			https://bugzilla.redhat.com/show_bug.cgi?id=1185148
			https://issues.jenkins-ci.org/browse/JENKINS-25019
			https://jenkins.io/changelog-old/
			http://www.openwall.com/lists/oss-security/2015/01/22/3
			http://www.securityfocus.com/bid/72054
			https://github.com/advisories/GHSA-g7cf-wg27-qw87

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	< 1.586
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 1.586

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date