CVE-2014-9635

medium

Published 2017-09-12 · Modified 2024-12-05

CVSS v3

5.3

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2

5.0

VIR risk

5.3

Description

Jenkins HttpOnly flag not Set for session cookies

Exploit likelihood

63%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://jenkins.io/changelog-old/

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://issues.jenkins-ci.org/browse/JENKINS-25019

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710

Ecosystem	Package	Vulnerable	Fixed
Maven	org.jenkins-ci.main:jenkins-core	`<1.586`	`1.586`

Vendor	Product	Versions
jenkins	jenkins	`{"endIncluding":"1.585"}`
apache	tomcat	`7.0.41`
apache	tomcat	`7.0.42`
apache	tomcat	`7.0.43`
apache	tomcat	`7.0.44`
apache	tomcat	`7.0.45`
apache	tomcat	`7.0.46`
apache	tomcat	`7.0.47`
apache	tomcat	`7.0.48`
apache	tomcat	`7.0.49`
apache	tomcat	`7.0.50`
apache	tomcat	`7.0.51`
apache	tomcat	`7.0.54`
apache	tomcat	`7.0.55`
apache	tomcat	`7.0.56`
apache	tomcat	`7.0.57`
apache	tomcat	`7.0.58`
apache	tomcat	`7.0.59`
apache	tomcat	`7.0.60`
apache	tomcat	`7.0.61`
apache	tomcat	`7.0.62`
apache	tomcat	`7.0.63`
apache	tomcat	`7.0.64`
apache	tomcat	`7.0.65`
apache	tomcat	`7.0.66`
apache	tomcat	`7.0.67`
apache	tomcat	`7.0.68`
apache	tomcat	`7.0.69`
apache	tomcat	`7.0.70`
apache	tomcat	`7.0.71`
apache	tomcat	`7.0.72`
apache	tomcat	`7.0.73`
apache	tomcat	`7.0.74`
apache	tomcat	`7.0.75`
apache	tomcat	`7.0.76`
apache	tomcat	`7.0.77`
apache	tomcat	`7.0.78`
apache	tomcat	`7.0.79`
apache	tomcat	`7.0.80`
apache	tomcat	`7.0.81`

CWE-254

Verify integrity in audit chain (admin only). AS-IS.