CVE-2019-10405
published 2019-09-25CVE-2019-10405: Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting…
PriorityP353medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EXPLOIT
EPSS
65.75%
99.2th percentile
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | application_director_plugin | — | — |
| jenkins | aqua_microscanner_plugin | — | — |
| jenkins | aqua_security_scanner_plugin | — | — |
| jenkins | assembla_plugin | — | — |
| jenkins | azure_event_grid_build_notifier_plugin | — | — |
| jenkins | call_remote_job_plugin | — | — |
| jenkins | cd_plugin | — | — |
| jenkins | codescan_plugin | — | — |
| jenkins | gem_publisher_plugin | — | — |
| jenkins | git_changelog_plugin | — | — |
| jenkins | gitlab_logo_plugin | — | — |
| jenkins | google_calendar_plugin | — | — |
| jenkins | inedo_buildmaster_plugin | — | — |
| jenkins | inedo_proget_plugin | — | — |
| jenkins | jenkins | <= 2.176.3 | — |
| jenkins | jenkins | <= 2.196 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_instance_with_this_plugin | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | kubernetes_pipeline_arquillian_steps_plugin | — | — |
| jenkins | kubernetes_pipeline_kubernetes_steps_plugin | — | — |
| jenkins | log_parser_plugin | — | — |
| jenkins | mask_password_plugin | — | — |
| jenkins | mask_passwords_plugin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /whoAmI/ on the target Jenkins instance. A vulnerable host will reflect the Cookie header value (including JSESSIONID) in the HTML response body. ↗
- →Check the HTTP response body of /whoAmI/ for the literal strings 'Cookie' and 'JSESSIONID' to confirm cookie exposure. ↗
- →Confirm the target is Jenkins by checking for the 'x-jenkins' response header alongside a 'text/html' Content-Type header. ↗
- →Fingerprint Jenkins instances for scanning using Shodan favicon hash 81586312 or FOFA icon_hash=81586312. ↗
- ·Exploitation of this cookie-exposure vulnerability requires a second, chained XSS vulnerability to be present; the /whoAmI/ endpoint alone does not execute JavaScript but exposes the cookie value in rendered HTML. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vendor_redhat5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
ghsa·2022-05-24
CVE-2019-10405 [MEDIUM] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
osv·2022-05-24
CVE-2019-10405 [MEDIUM] Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Jenkins
Jenkins Security Advisory 2019-09-25
vendor_jenkins·2019-09-25·CVSS 5.4
CVE-2019-10401 [MEDIUM] Jenkins Security Advisory 2019-09-25
Title: Jenkins Security Advisory 2019-09-25
Jenkins Security Advisory 2019-09-25
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Aqua MicroScanner
Plugin
Aqua Security Scanner
Plugin
Assembla
Plugin
Azure Event Grid Build Notifier
Plugin
Call Remote Job
Plugin
CodeScan
Plugin
D
Red Hat
jenkins: Diagnostic web page exposed Cookie HTTP header
vendor_redhat·2019-09-25·CVSS 5.4
CVE-2019-10405 [MEDIUM] CWE-200 jenkins: Diagnostic web page exposed Cookie HTTP header
jenkins: Diagnostic web page exposed Cookie HTTP header
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Package: jenkins (Red Hat OpenShift Container Platform 3.10) - Out of support scope
Package: jenkins (Red Hat OpenShift Container Platform 3.9) - Out of support scope
No detection rules found.
Nuclei
Jenkins <=2.196 - Cookie Exposure
nuclei·CVSS 5.4
CVE-2019-10405 [MEDIUM] Jenkins <=2.196 - Cookie Exposure
Jenkins <=2.196 - Cookie Exposure
Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue.
Template:
id: CVE-2019-10405
info:
name: Jenkins <=2.196 - Cookie Exposure
author: c-sh0
severity: medium
description: Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue.
impact: |
The exposure of cookies can lead to session hijacking, unauthorized access,
Bugzilla
CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]
bugzilla·2019-10-23·CVSS 5.4
CVE-2019-10401 [MEDIUM] CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]
CVE-2019-10401 CVE-2019-10402 CVE-2019-10403 CVE-2019-10404 CVE-2019-10405 CVE-2019-10406 jenkins: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2019-10405 jenkins: Diagnostic web page exposed Cookie HTTP header
bugzilla·2019-10-22·CVSS 5.4
CVE-2019-10405 [MEDIUM] CVE-2019-10405 jenkins: Diagnostic web page exposed Cookie HTTP header
CVE-2019-10405 jenkins: Diagnostic web page exposed Cookie HTTP header
Jenkins shows various technical information about the current user on the /whoAmI URL. The information shown includes HTTP request headers. This allowed attackers able to exploit another cross-site scripting vulnerability to obtain the Cookie header’s value even if the HttpOnly flag would prevent direct access via JavaScript.
References:
https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505
Discussion:
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1764477]
2019-09-25
Published