CVE-2014-9635 in Jenkins
Summary
by MITRE
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/28/2022
The vulnerability identified as CVE-2014-9635 represents a critical security flaw in Jenkins continuous integration platform versions prior to 1.586. This issue specifically affects deployments running on Tomcat 7.0.41 or later servers where the HttpOnly flag is not properly configured in session cookie headers. The vulnerability stems from the improper configuration of HTTP response headers that control how web browsers handle session cookies, creating an exploitable condition that significantly weakens the security posture of affected systems.
The technical flaw manifests in the way Jenkins handles session management when deployed on Tomcat servers. Session cookies are fundamental components of web application security that maintain user authentication state across multiple requests. When the HttpOnly flag is omitted from Set-Cookie headers, it allows malicious scripts executed within the victim's browser to access session cookies through javascript document.cookie API calls. This creates a direct pathway for cross-site scripting attacks to escalate privileges and hijack user sessions. The vulnerability is particularly dangerous because it operates at the HTTP protocol level where cookies are transmitted between client and server, making it a foundational security issue rather than an application-specific flaw.
The operational impact of this vulnerability extends beyond simple information disclosure, as it fundamentally undermines the security of authenticated sessions within Jenkins environments. Remote attackers can leverage this weakness to obtain session tokens that provide unauthorized access to Jenkins build servers, potentially enabling them to execute arbitrary builds, modify configurations, or access sensitive project data. This vulnerability directly maps to CWE-1004 which describes insecure cookies without the HttpOnly flag, and aligns with ATT&CK technique T1566.001 which covers credential access through exploitation of web application vulnerabilities. The risk is amplified in enterprise environments where Jenkins often serves as a central build and deployment system with elevated privileges and access to critical infrastructure components.
Mitigation strategies for CVE-2014-9635 require immediate patching of Jenkins installations to version 1.586 or later, which properly implements the HttpOnly flag for session cookies. Organizations should also implement comprehensive monitoring of HTTP headers to verify proper cookie configuration across all web applications. Additional defensive measures include implementing Content Security Policy headers, regularly auditing session management configurations, and conducting penetration testing to identify similar cookie-related vulnerabilities. Security teams should also consider implementing web application firewalls to detect and block suspicious cookie access patterns, while ensuring that all Tomcat deployments properly configure the HttpOnly flag through server-level settings or application configuration files. The remediation process should include thorough testing to confirm that session cookies are properly secured and that existing sessions are invalidated and recreated after patch implementation to prevent exploitation of any active compromised sessions.