CVE-2014-9634
First published: Fri Jan 23 2015(Updated: )
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.main:jenkins-core | <1.586 | 1.586 |
| Jenkins LTS | <=1.585 | |
| Tomcat | =7.0.41 | |
| Tomcat | =7.0.42 | |
| Tomcat | =7.0.43 | |
| Tomcat | =7.0.44 | |
| Tomcat | =7.0.45 | |
| Tomcat | =7.0.46 | |
| Tomcat | =7.0.47 | |
| Tomcat | =7.0.48 | |
| Tomcat | =7.0.49 | |
| Tomcat | =7.0.50 | |
| Tomcat | =7.0.51 | |
| Tomcat | =7.0.54 | |
| Tomcat | =7.0.55 | |
| Tomcat | =7.0.56 | |
| Tomcat | =7.0.57 | |
| Tomcat | =7.0.58 | |
| Tomcat | =7.0.59 | |
| Tomcat | =7.0.60 | |
| Tomcat | =7.0.61 | |
| Tomcat | =7.0.62 | |
| Tomcat | =7.0.63 | |
| Tomcat | =7.0.64 | |
| Tomcat | =7.0.65 | |
| Tomcat | =7.0.66 | |
| Tomcat | =7.0.67 | |
| Tomcat | =7.0.68 | |
| Tomcat | =7.0.69 | |
| Tomcat | =7.0.70 | |
| Tomcat | =7.0.71 | |
| Tomcat | =7.0.72 | |
| Tomcat | =7.0.73 | |
| Tomcat | =7.0.74 | |
| Tomcat | =7.0.75 | |
| Tomcat | =7.0.76 | |
| Tomcat | =7.0.77 | |
| Tomcat | =7.0.78 | |
| Tomcat | =7.0.79 | |
| Tomcat | =7.0.80 | |
| Tomcat | =7.0.81 | |
| All of | ||
| Jenkins LTS | <=1.585 | |
| Any of | ||
| Tomcat | =7.0.41 | |
| Tomcat | =7.0.42 | |
| Tomcat | =7.0.43 | |
| Tomcat | =7.0.44 | |
| Tomcat | =7.0.45 | |
| Tomcat | =7.0.46 | |
| Tomcat | =7.0.47 | |
| Tomcat | =7.0.48 | |
| Tomcat | =7.0.49 | |
| Tomcat | =7.0.50 | |
| Tomcat | =7.0.51 | |
| Tomcat | =7.0.54 | |
| Tomcat | =7.0.55 | |
| Tomcat | =7.0.56 | |
| Tomcat | =7.0.57 | |
| Tomcat | =7.0.58 | |
| Tomcat | =7.0.59 | |
| Tomcat | =7.0.60 | |
| Tomcat | =7.0.61 | |
| Tomcat | =7.0.62 | |
| Tomcat | =7.0.63 | |
| Tomcat | =7.0.64 | |
| Tomcat | =7.0.65 | |
| Tomcat | =7.0.66 | |
| Tomcat | =7.0.67 | |
| Tomcat | =7.0.68 | |
| Tomcat | =7.0.69 | |
| Tomcat | =7.0.70 | |
| Tomcat | =7.0.71 | |
| Tomcat | =7.0.72 | |
| Tomcat | =7.0.73 | |
| Tomcat | =7.0.74 | |
| Tomcat | =7.0.75 | |
| Tomcat | =7.0.76 | |
| Tomcat | =7.0.77 | |
| Tomcat | =7.0.78 | |
| Tomcat | =7.0.79 | |
| Tomcat | =7.0.80 | |
| Tomcat | =7.0.81 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2015/01/22/3
- http://www.securityfocus.com/bid/72054
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
- https://bugzilla.redhat.com/show_bug.cgi?id=1185148
- https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
- https://issues.jenkins-ci.org/browse/JENKINS-25019
- https://jenkins.io/changelog-old/
- https://nvd.nist.gov/vuln/detail/CVE-2014-9634
- https://github.com/advisories/GHSA-g7cf-wg27-qw87 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1185152
- https://access.redhat.com/security/updates/classification/
Frequently Asked Questions
What is the severity of CVE-2014-9634?
CVE-2014-9634 is considered a medium severity vulnerability due to its potential for cookie interception.
How do I fix CVE-2014-9634?
To fix CVE-2014-9634, upgrade Jenkins to version 1.586 or later when running on Tomcat 7.0.41 or later.
Who discovered CVE-2014-9634?
CVE-2014-9634 was reported by security researcher Yann Rouillard.
What systems are affected by CVE-2014-9634?
CVE-2014-9634 affects Jenkins versions before 1.586 when run on Tomcat version 7.0.41 or later.
What is the nature of the vulnerability CVE-2014-9634?
CVE-2014-9634 involves the lack of a secure flag on session cookies, making them susceptible to interception.
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g7cf-wg27-qw87
- alias/CVE-2014-9634
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- agent/remedy
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/author
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/maven
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/1.585
- vendor/apache
- canonical/tomcat
- version/tomcat/7.0.41
- version/tomcat/7.0.42
- version/tomcat/7.0.43
- version/tomcat/7.0.44
- version/tomcat/7.0.45
- version/tomcat/7.0.46
- version/tomcat/7.0.47
- version/tomcat/7.0.48
- version/tomcat/7.0.49
- version/tomcat/7.0.50
- version/tomcat/7.0.51
- version/tomcat/7.0.54
- version/tomcat/7.0.55
- version/tomcat/7.0.56
- version/tomcat/7.0.57
- version/tomcat/7.0.58
- version/tomcat/7.0.59
- version/tomcat/7.0.60
- version/tomcat/7.0.61
- version/tomcat/7.0.62
- version/tomcat/7.0.63
- version/tomcat/7.0.64
- version/tomcat/7.0.65
- version/tomcat/7.0.66
- version/tomcat/7.0.67
- version/tomcat/7.0.68
- version/tomcat/7.0.69
- version/tomcat/7.0.70
- version/tomcat/7.0.71
- version/tomcat/7.0.72
- version/tomcat/7.0.73
- version/tomcat/7.0.74
- version/tomcat/7.0.75
- version/tomcat/7.0.76
- version/tomcat/7.0.77
- version/tomcat/7.0.78
- version/tomcat/7.0.79
- version/tomcat/7.0.80
- version/tomcat/7.0.81