Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-614 (HTTPS会话中未设置’Secure’属性的敏感Cookie) — Vulnerability Class 47

47 vulnerabilities classified as CWE-614 (HTTPS会话中未设置’Secure’属性的敏感Cookie). AI Chinese analysis included.

CWE-614 represents a configuration weakness where sensitive cookies are transmitted over HTTPS sessions without the Secure attribute enabled. This oversight allows attackers to exploit the vulnerability through man-in-the-middle attacks, even on encrypted connections, by intercepting the cookie if the session inadvertently downgrades to HTTP or if the client fails to enforce HTTPS strictly. Without the Secure flag, browsers may transmit these credentials over unencrypted channels, exposing session identifiers, authentication tokens, or personal data to eavesdroppers. To mitigate this risk, developers must explicitly set the Secure attribute on all cookies containing sensitive information, ensuring they are only transmitted over encrypted HTTPS connections. Additionally, implementing strict transport security headers and validating server configurations can prevent accidental HTTP fallbacks, thereby maintaining the integrity and confidentiality of user sessions throughout the browsing experience.

MITRE CWE Description
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Common Consequences (1)
ConfidentialityRead Application Data
Omitting the secure flag makes it possible for the user agent to send the cookies in plaintext over an HTTP session.
Mitigations (1)
ImplementationAlways set the secure attribute when the cookie should be sent via HTTPS only.
Examples (1)
The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).
Cookie c = new Cookie(ACCOUNT_ID, acctID); response.addCookie(c);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-21940 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in System Configuration Tool (SCT) — System Configuration Tool (SCT) 7.5 High2023-02-09
CVE-2023-0055 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in pyload/pyload — pyload/pyload 5.3 -2023-01-04
CVE-2018-25060 Macaron csrf csrf.go missing secure attribute — csrf 3.7 Low2022-12-30
CVE-2022-4683 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in usememos/memos — usememos/memos 5.3 -2022-12-23
CVE-2022-4409 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in thorsten/phpmyfaq — thorsten/phpmyfaq 5.3 -2022-12-11
CVE-2022-3250 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in ikus060/rdiffweb — ikus060/rdiffweb 5.3 -2022-09-21
CVE-2022-3251 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in ikus060/minarca — ikus060/minarca 5.3 -2022-09-21
CVE-2022-3174 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in ikus060/rdiffweb — ikus060/rdiffweb 5.3 -2022-09-13
CVE-2015-3207 Red Hat OpenShift 安全漏洞 — Openshift Origin 8.2 -2022-07-07
CVE-2022-25151 ITarian - Session cookie not protected by HttpOnly flag — ITarian SaaS platform / on-premise 7.5 High2022-06-08
CVE-2022-24045 多款Siemens产品安全漏洞 — Desigo DXR2 6.5 -2022-05-10
CVE-2021-27764 HCL BigFix WebUI Cookie missing attributes — HCL BigFix WebUI 7.4 High2022-05-06
CVE-2021-35236 Missing Secure Flag From SSL Cookie — Kiwi Syslog Server 3.1 Low2021-10-27
CVE-2021-3882 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in ledgersmb/ledgersmb — ledgersmb/ledgersmb 6.8 -2021-10-14
CVE-2020-29024 Missing HtppOnly and Secure flags — GateManager 5.3 Medium2021-02-16
CVE-2020-27650 Synology DiskStation Manager 安全漏洞 — DiskStation Manager (DSM) 5.8 Medium2020-10-29
CVE-2020-27651 Synology Router Manager 安全漏洞 — Synology Router Manager (SRM) 5.8 Medium2020-10-29

Vulnerabilities classified as CWE-614 (HTTPS会话中未设置’Secure’属性的敏感Cookie) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.