CVE-2019-10405

Name
CVE-2019-10405
Description
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505
Third Party Advisory http://www.openwall.com/lists/oss-security/2019/09/25/3

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:* jenkins >= None <= 2.196
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* jenkins >= None <= 2.176.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status