Medium severity5.3NVD Advisory· Published Sep 12, 2017· Updated Jun 17, 2026
CVE-2014-9635
CVE-2014-9635
Description
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 1.586 | 1.586 |
Affected products
2Patches
Vulnerability mechanics
References
10- github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710nvdPatchThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2015/01/22/3nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/72054nvdThird Party AdvisoryVDB EntryWEB
- bugs.debian.org/cgi-bin/bugreport.cginvdThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-7f6w-fhmr-j8hqghsaADVISORY
- issues.jenkins-ci.org/browse/JENKINS-25019nvdIssue TrackingVendor AdvisoryWEB
- jenkins.io/changelog-old/nvdRelease NotesVendor Advisory
- nvd.nist.gov/vuln/detail/CVE-2014-9635ghsaADVISORY
- jenkins.io/changelog-oldghsaWEB
News mentions
0No linked articles in our index yet.