CVE-2019-10405
Description
Jenkins /whoAmI/ endpoint exposed Cookie header, enabling attackers with XSS to steal HttpOnly session cookies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins /whoAmI/ endpoint exposed Cookie header, enabling attackers with XSS to steal HttpOnly session cookies.
Summary
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the Cookie HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly [1][2][3].
Details
The /whoAmI/ page in Jenkins was designed to display request headers for debugging. However, it inadvertently included the full Cookie header, which contains the session identifier. Even though the cookie was set with the HttpOnly flag (preventing client-side script access), the server-side rendering of the header value on the page made it accessible in the HTML source [3].
Exploitation
An attacker who successfully exploits an XSS vulnerability (such as those described in SECURITY-1498 or SECURITY-1525, also fixed in this advisory [1]) can execute arbitrary JavaScript in a victim's browser. The attacker can then fetch the /whoAmI/ page content, which contains the raw Cookie header, and exfiltrate the session cookie. This bypasses the HttpOnly protection [2].
Impact and
Mitigation A successful attack allows the attacker to hijack the victim's Jenkins session, gaining unauthorized access to Jenkins functionality and data. The vulnerability affects Jenkins core versions 2.196 and earlier, and LTS 2.176.3 and earlier. It is fixed in Jenkins 2.197, LTS 2.176.4, and LTS 2.190.1 [1]. The fix redacts the Cookie header value in the /whoAmI/ view [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.176.4 | 2.176.4 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.177, < 2.197 | 2.197 |
Affected products
2- Range: 2.196 and earlier, LTS 2.176.3 and earlier
Patches
11 file changed · +20 −10
core/src/main/resources/hudson/security/WhoAmI/index.jelly+20 −10 modified@@ -74,18 +74,28 @@ THE SOFTWARE. <h2>Request Headers</h2> <table> <j:forEach var="n" items="${request.getHeaderNames()}"> - <j:set var="values" value="${h.getRequestHeaders(n)}"/> - <tr> - <td rowspan="${values.size()}">${n}</td> - <td> - ${values[0]} - </td> - </tr> - <j:forEach var="v" items="${values.subList(1,values.size())}"> + <j:if test="${n.equalsIgnoreCase('Cookie')}"> <tr> - <td>${v}</td> + <td rowspan="1">${n}</td> + <td> + <i>(redacted for security reasons)</i> + </td> </tr> - </j:forEach> + </j:if> + <j:if test="${!n.equalsIgnoreCase('Cookie')}"> + <j:set var="values" value="${h.getRequestHeaders(n)}"/> + <tr> + <td rowspan="${values.size()}">${n}</td> + <td> + ${values[0]} + </td> + </tr> + <j:forEach var="v" items="${values.subList(1,values.size())}"> + <tr> + <td>${v}</td> + </tr> + </j:forEach> + </j:if> </j:forEach> </table> </l:main-panel>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-47wc-p5cp-w7pwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10405ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/09/25/3ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/jenkins/commit/560ee832b41814660c5632ea36ad1a1c977177bfghsaWEB
- jenkins.io/security/advisory/2019-09-25/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.