CVE-2019-10405

Description

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the Cookie HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

Risk Information

Base Score

5.4

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS Score

Exploitation Probability

79.832

Associated Vulnerability

Vulnerability	OS Platform
Multiple vulnerabilities affected in Jenkins 2.196	Windows
Multiple vulnerabilities are fixed in Jenkins-Core 2.176.4	Windows
Multiple vulnerabilities are fixed in Jenkins-Core 2.197	Windows
Multiple vulnerabilities affected in Jenkins 2.196 (For Ubuntu)	Linux
Multiple vulnerabilities affected in Jenkins 2.196 (For Debian)	Linux
Multiple vulnerabilities affected in Jenkins 2.196 (For Centos)	Linux
Multiple vulnerabilities affected in Jenkins 2.196 (For RedHat)	Linux
Multiple vulnerabilities affected in Jenkins 2.196 (For Suse)	Linux
Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.176.4	Linux
Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.197	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234