CVE-2014-9634
Jenkins secure flag not set on session cookies
5.3
MEDIUM
CVSS 3.1
EPSS 0.68%
Description
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
How to fix CVE-2014-9634
To remediate CVE-2014-9634, upgrade the affected package to a fixed version below.
- Maven/org.jenkins-ci.main:jenkins-core—upgrade to 1.586 or later
Is CVE-2014-9634 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.586
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |