{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-01-22T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-12T13:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20150122 Re: ping on CVE Request for jenkins-tomcat: Secure and HttpOnly flags are not, set for cookies with Jenkins on Tomcat", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185148"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/changelog-old/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710"}, {"name": "72054", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72054"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:47:41.820Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20150122 Re: ping on CVE Request for jenkins-tomcat: Secure and HttpOnly flags are not, set for cookies with Jenkins on Tomcat", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185148"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/changelog-old/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710"}, {"name": "72054", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/72054"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-9634", "datePublished": "2017-09-12T14:00:00.000Z", "dateReserved": "2015-01-22T00:00:00.000Z", "dateUpdated": "2024-08-06T13:47:41.820Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1F11E15-FD3D-48AC-9BEA-4E2730551F48", "versionEndIncluding": "1.585", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*", "matchCriteriaId": "DA8A7333-B4C3-4876-AE01-62F2FD315504", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*", "matchCriteriaId": "92993E23-D805-407B-8B87-11CEEE8B212F", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*", "matchCriteriaId": "7A11BD74-305C-41E2-95B1-5008EEF5FA5F", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*", "matchCriteriaId": "595442D0-9DB7-475A-AE30-8535B70E122E", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*", "matchCriteriaId": "4B0BA92A-0BD3-4CE4-9465-95E949104BAC", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*", "matchCriteriaId": "6F944B72-B9EB-4EB8-AEA3-E0D7ADBE1305", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*", "matchCriteriaId": "6AA28D3A-3EE5-4F90-B8F5-4943F7607DA6", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*", "matchCriteriaId": "BFD3EB84-2ED2-49D4-8BC9-6398C2E46F0A", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*", "matchCriteriaId": "DEDF6E1A-0DD6-42AB-9510-F6F4B6002C91", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*", "matchCriteriaId": "C947E549-2459-4AFB-84A7-36BDA30B5F29", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*", "matchCriteriaId": "67A0EA46-5AEA-4D0A-B89E-6560FA10EC08", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*", "matchCriteriaId": "F8E9453E-BC9B-4F77-85FA-BA15AC55C245", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*", "matchCriteriaId": "A7EF0518-73F9-47DB-8946-A8334936BEFF", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*", "matchCriteriaId": "95AA8778-7833-4572-A71B-5FD89938CE94", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*", "matchCriteriaId": "242E47CE-EF69-4F8F-AB40-5AF2811674CE", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*", "matchCriteriaId": "A225D4F7-174E-47C3-8390-C6FA28DB5A9A", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*", "matchCriteriaId": "CDA1555C-E55A-4E14-B786-BFEE3F09220B", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*", "matchCriteriaId": "6BAC42AE-B82A-4ABF-9519-B2D97D925707", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*", "matchCriteriaId": "F8075E9A-DA7F-4A0B-8B4D-0CD951369111", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*", "matchCriteriaId": "335A5320-6086-4B45-9903-82F6F92A584F", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*", "matchCriteriaId": "46B33408-C2E2-4E7C-9334-6AB98F13468C", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*", "matchCriteriaId": "9F036676-9EFB-4A92-828E-A38905D594E2", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*", "matchCriteriaId": "E9728EE8-6029-4DF3-942E-E4ACC09111A3", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*", "matchCriteriaId": "62DBB843-288C-4060-8777-6CDCF1860D29", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*", "matchCriteriaId": "34E7DAC8-8419-45D1-A28F-14CF2FE1B6EE", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*", "matchCriteriaId": "89B87EB5-4902-4C2A-878A-45185F7D0FA1", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*", "matchCriteriaId": "C0596E6C-9ACE-4106-A2FF-BED7967C323F", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*", "matchCriteriaId": "8F7158DC-966B-4508-8600-40E3E9D3D0DF", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*", "matchCriteriaId": "A190FE0D-86C1-49EE-BDAE-5879C32BDC92", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*", "matchCriteriaId": "CA20F45F-01A2-43DD-9731-DFF54E31719F", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*", "matchCriteriaId": "3C7A728B-59DB-4EDE-8929-C91F4C410902", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*", "matchCriteriaId": "26889291-3280-4524-8F4A-9B22FF4600C8", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*", "matchCriteriaId": "6E4CAEBD-0F38-4892-9D0B-9D7392E0BCC3", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*", "matchCriteriaId": "61C4DA00-E47C-47BE-856C-7E0D4B0F9DAA", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*", "matchCriteriaId": "41FF234B-A9AD-4C51-8E9E-939DC8ECB64A", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*", "matchCriteriaId": "4FA0E2FD-84FB-4691-B4B5-12A381CB091E", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*", "matchCriteriaId": "69CC7A75-8EA2-4F62-AF84-CE60C76F9F7C", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*", "matchCriteriaId": "4CA59311-0095-49D7-BDF2-E72F847F3F09", "vulnerable": false}, {"criteria": "cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*", "matchCriteriaId": "A1E06587-2543-47A9-9E02-4BE7B0190065", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session."}, {"lang": "es", "value": "Jenkins en versiones anteriores a la 1.586 no establece el indicador \"secure\" cuando se ejecuta en Tomcat 7.0.41 o posterior, lo que facilita que los atacantes remotos capturen cookies interceptando su transmisi\u00f3n en una sesi\u00f3n HTML."}], "id": "CVE-2014-9634", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-12T14:29:00.253", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72054"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185148"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://jenkins.io/changelog-old/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/01/22/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72054"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185148"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://issues.jenkins-ci.org/browse/JENKINS-25019"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://jenkins.io/changelog-old/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Yann Rouillard for reporting this issue.", "bugzilla": {"description": "Tomcat: failure to set secure flag on cookies", "id": "1185148", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1185148"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "draft"}, "details": ["Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session."], "name": "CVE-2014-9634", "package_state": [{"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Enterprise 2"}], "public_date": "2014-11-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-9634\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-9634"], "statement": "This issue affects the versions of Jenkins as shipped with Red Hat OpenShift Enterprise 2. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}

{}