vulnerability
Jenkins Advisory 2019-09-25: CVE-2019-10405: Diagnostic web page exposed Cookie HTTP header
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:S/C:N/I:P/A:N) | Sep 25, 2019 | Oct 8, 2019 | Aug 11, 2025 |
Severity
4
CVSS
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
Published
Sep 25, 2019
Added
Oct 8, 2019
Modified
Aug 11, 2025
Description
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Solutions
jenkins-lts-upgrade-2_176_4jenkins-upgrade-2_197
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.