CVE-2019-10405
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2019-10405. We'll provide specific mitigation strategies based on your environment and risk profile.
Description
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Available Exploits
Jenkins <=2.196 - Cookie Exposure
Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue.
Related News
Affected Products
Affected Versions:
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
GHSA-47wc-p5cp-w7pwAdvisory Details
Affected Packages
CVSS Scoring
CVSS Score
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
Advisory provided by GitHub Security Advisory Database. Published: May 24, 2022, Modified: June 28, 2022