Medium severity5.3NVD Advisory· Published Sep 12, 2017· Updated May 13, 2026

CVE-2014-9635

Description

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	< 1.586	1.586

Affected products

Jenkins/Jenkins
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*
Range: <=1.585

Patches

582128b9ac17

[FIXED JENKINS-25019]

https://github.com/jenkinsci/jenkinsKohsuke KawaguchiOct 17, 2014via ghsa

commit

3 files changed · +42 −6

changelog.html+4 −0 modified

@@ -61,6 +61,10 @@
   <li class=bug>
     Prevent empty file creation if file parameter is left empty.
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-3539">issue 3539</a>)
+  <li class=bug>
+    Servlet containers may refuse to let us set <a href="https://www.owasp.org/index.php/SecureFlag">secure cookie flag</a>.
+    Deal with it gracefully.
+    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-25019">issue 25019</a>)
 </ul>
 </div><!--=TRUNK-END=-->

core/src/main/java/hudson/WebAppMain.java+28 −0 modified

@@ -56,6 +56,7 @@
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.lang.reflect.Method;
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.util.Date;
@@ -116,6 +117,8 @@ public Locale get() {
 
             installLogger();
 
+            markCookieAsHttpOnly(context);
+
             final FileAndDescription describedHomeDir = getHomeDir(event);
             home = describedHomeDir.file.getAbsoluteFile();
             home.mkdirs();
@@ -251,6 +254,31 @@ public void run() {
         }
     }
 
+    /**
+     * Set the session cookie as HTTP only.
+     *
+     * @see <a href="https://www.owasp.org/index.php/HttpOnly">discussion of this topic in OWASP</a>
+     */
+    private void markCookieAsHttpOnly(ServletContext context) {
+        try {
+            Method m;
+            try {
+                m = context.getClass().getMethod("getSessionCookieConfig");
+            } catch (NoSuchMethodException x) { // 3.0+
+                LOGGER.log(Level.FINE, "Failed to set secure cookie flag", x);
+                return;
+            }
+            Object sessionCookieConfig = m.invoke(context);
+
+            // not exposing session cookie to JavaScript to mitigate damage caused by XSS
+            Class scc = Class.forName("javax.servlet.SessionCookieConfig");
+            Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
+            setHttpOnly.invoke(sessionCookieConfig,true);
+        } catch (Exception e) {
+            LOGGER.log(Level.WARNING, "Failed to set HTTP-only cookie flag", e);
+        }
+    }
+
     public void joinInit() throws InterruptedException {
         initThread.join();
     }

core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java+10 −6 modified

@@ -14,6 +14,7 @@
 import javax.servlet.ServletContext;
 import java.io.File;
 import java.io.IOException;
+import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -117,14 +118,17 @@ private void updateSecureSessionFlag() {
             }
             Object sessionCookieConfig = m.invoke(context);
 
-            // not exposing session cookie to JavaScript to mitigate damage caused by XSS
             Class scc = Class.forName("javax.servlet.SessionCookieConfig");
-            Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
-            setHttpOnly.invoke(sessionCookieConfig,true);
-
-            Method setSecure = scc.getMethod("setSecure",boolean.class);
+            Method setSecure = scc.getMethod("setSecure", boolean.class);
             boolean v = fixNull(jenkinsUrl).startsWith("https");
-            setSecure.invoke(sessionCookieConfig,v);
+            setSecure.invoke(sessionCookieConfig, v);
+        } catch (InvocationTargetException e) {
+            if (e.getTargetException() instanceof IllegalStateException) {
+                // servlet 3.0 spec seems to prohibit this from getting set at runtime,
+                // though Winstone is happy to accept i. see JENKINS-25019
+                return;
+            }
+            LOGGER.log(Level.WARNING, "Failed to set secure cookie flag", e);
         } catch (Exception e) {
             LOGGER.log(Level.WARNING, "Failed to set secure cookie flag", e);
         }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710nvdPatchThird Party AdvisoryWEB
www.openwall.com/lists/oss-security/2015/01/22/3nvdMailing ListThird Party AdvisoryWEB
www.securityfocus.com/bid/72054nvdThird Party AdvisoryVDB EntryWEB
bugs.debian.org/cgi-bin/bugreport.cginvdThird Party AdvisoryWEB
bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-7f6w-fhmr-j8hqghsaADVISORY
issues.jenkins-ci.org/browse/JENKINS-25019nvdIssue TrackingVendor AdvisoryWEB
jenkins.io/changelog-old/nvdRelease NotesVendor Advisory
nvd.nist.gov/vuln/detail/CVE-2014-9635ghsaADVISORY
jenkins.io/changelog-oldghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000