CVE-2014-2060 - Vulnerability Details - OpenCVE

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00086.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins	Jenkins
Redhat	Openshift

Configuration 1 [-]

cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Enterprise 2.1
jenkins-0:1.565.3-1.el6op	cpe:/a:redhat:openshift:2.0::el6	RHBA-2014:1630	2014-10-14T00:00:00Z
jenkins-plugin-openshift-0:0.6.40.1-0.el6op	cpe:/a:redhat:openshift:2.0::el6	RHBA-2014:1630	2014-10-14T00:00:00Z
openshift-origin-cartridge-jenkins-0:1.20.3.5-1.el6op	cpe:/a:redhat:openshift:2.0::el6	RHBA-2014:1630	2014-10-14T00:00:00Z

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2014/02/21/2
https://nvd.nist.gov/vuln/detail/CVE-2014-2060
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
https://www.cve.org/CVERecord?id=CVE-2014-2060

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2014-10-17T15:00:00

Updated: 2024-08-06T09:58:16.207Z

Reserved: 2014-02-19T00:00:00

Link: CVE-2014-2060

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-10-17T15:55:05.557

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-2060

Redhat

Severity : Moderate

Publid Date: 2014-02-11T00:00:00Z

Links: CVE-2014-2060 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-02-14T00:00:00", "descriptions": [{"lang": "en", "value": "The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-06-09T15:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"name": "[oss-security] 20140220 Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/02/21/2"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2014-2060", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20140220 Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/02/21/2"}, {"name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14", "refsource": "CONFIRM", "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:58:16.207Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20140220 Re: Possible CVE Requests: several issues fixed in Jenkins (Advisory 2014-02-14)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/02/21/2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2014-2060", "datePublished": "2014-10-17T15:00:00", "dateReserved": "2014-02-19T00:00:00", "dateUpdated": "2024-08-06T09:58:16.207Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*", "matchCriteriaId": "07E4FEB5-A7D9-49FE-839A-0D650CC19C42", "versionEndIncluding": "1.550", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "F5EDE52E-F7BE-457D-8E56-F24800F02241", "versionEndIncluding": "1.532.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors."}, {"lang": "es", "value": "El contenedor de servlet Winstone en Jenkins en versiones anteriores a 1.551 y LTS en versiones anteriores a 1.532.2 permite a atacantes remotos secuestrar sesiones a trav\u00e9s de vectores no especificados."}], "id": "CVE-2014-2060", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-10-17T15:55:05.557", "references": [{"source": "security@debian.org", "url": "http://www.openwall.com/lists/oss-security/2014/02/21/2"}, {"source": "security@debian.org", "tags": ["Vendor Advisory"], "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2014/02/21/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}