Jenkins <=2.196 - Cookie Exposure

ID: CVE-2019-10405

Severity: medium

Author: c-sh0

Tags: cve,cve2019,jenkins

Description

Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue.

YAML Source

id: CVE-2019-10405

info:
  name: Jenkins <=2.196 - Cookie Exposure
  author: c-sh0
  severity: medium
  description: Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue.
  impact: |
    The exposure of cookies can lead to session hijacking, unauthorized access, and potential data breaches.
  remediation: |
    Upgrade Jenkins to a version higher than 2.196 to mitigate the vulnerability.
  reference:
    - https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505
    - http://www.openwall.com/lists/oss-security/2019/09/25/3
    - https://nvd.nist.gov/vuln/detail/CVE-2019-10405
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2019-10405
    cwe-id: CWE-79
    epss-score: 0.00572
    epss-percentile: 0.77427
    cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
  metadata:
    max-request: 2
    vendor: jenkins
    product: jenkins
    shodan-query:
      - http.favicon.hash:81586312
      - cpe:"cpe:2.3:a:jenkins:jenkins"
      - product:"jenkins"
    fofa-query: icon_hash=81586312
  tags: cve,cve2019,jenkins

http:
  - raw:
      - |
        GET {{BaseURL}}/whoAmI/ HTTP/1.1
        Host: {{Hostname}}
      - |
        GET {{BaseURL}}/whoAmI/ HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - 'text/html'
          - 'x-jenkins'
        case-insensitive: true
        condition: and

      - type: word
        part: body_2
        words:
          - 'Cookie'
          - 'JSESSIONID'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: kval
        kval:
          - x_jenkins
# digest: 490a0046304402207faf85fe95b1c545ecd405584188b3401d6273a15210006c403209b0c2ecd3fa02200ede8fd43865197d2f03956aa7361fb0a954260d6c985c5437364ad39716a52c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-10405.yaml"

View on Github