Date published: 2017-09-12T10:29:00.300-04:00
Date last modified: 2017-09-21T14:47:08.483-04:00
CVSS Score: 5.0
Principal attack vector: NETWORK
Reference URL: http://www.openwall.com/lists/oss-security/2015/01/22/3
Summary: Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.