CVE-2019-10405

Summary

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

Affected Software

VendorProductVersion RangeStatus
Jenkins projectJenkins2.196 and earlier, LTS 2.176.3 and earlieraffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References