CVE-2019-10405

MEDIUM severity · CVSS 5.4 · Cross-site scripting (XSS)

5.4CVSS MEDIUM

Summary

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)82%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected products we track (1)

Jenkins

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505Advisory
https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505Advisory
http://www.openwall.com/lists/oss-security/2019/09/25/3Advisory
http://www.openwall.com/lists/oss-security/2019/09/25/3Advisory