Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-10405

EPSS 79.83% · P99
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2019-10405

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
CloudBees Jenkins和LTS 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CloudBees Jenkins(Hudson Labs)是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。LTS是CloudBeesJenkins的一个长期支持版本。 CloudBees Jenkins 2.196及之前版本和LTS 2.176.3及之前版本中存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
Jenkins projectJenkins 2.196 and earlier, LTS 2.176.3 and earlier -

II. Public POCs for CVE-2019-10405

#POC DescriptionSource LinkShenlong Link
1Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue.https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-10405.yamlPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2019-10405

登录查看更多情报信息。

Same Patch Batch · Jenkins project · 2019-09-25 · 30 CVEs total

CVE-2019-10419CloudBees Jenkins vFabric Application Director插件安全漏洞
CVE-2019-10411CloudBees Jenkins Inedo BuildMaster Plugin 安全漏洞
CVE-2019-10410CloudBees Jenkins Log Parser Plugin 跨站脚本漏洞
CVE-2019-10409CloudBees Jenkins Project Inheritance Plugin 安全漏洞
CVE-2019-10408CloudBees Jenkins Project Inheritance Plugin 跨站请求伪造漏洞
CVE-2019-10407CloudBees Project Inheritance Plugin 信息泄露漏洞
CVE-2019-10406CloudBees Jenkins 跨站脚本漏洞
CVE-2019-10404CloudBees Jenkins和LTS 跨站脚本漏洞
CVE-2019-10403CloudBees Jenkins和LTS 跨站脚本漏洞
CVE-2019-10402CloudBees Jenkins和LTS 跨站脚本漏洞
CVE-2019-10401CloudBees Jenkins和LTS 跨站脚本漏洞
CVE-2019-10423CloudBees Jenkins CodeScan Plugin 安全漏洞
CVE-2019-10422CloudBees Jenkins Call Remote Job Plugin 安全漏洞
CVE-2019-10421CloudBees Jenkins Azure Event Grid Build Notifier Plugin 安全漏洞
CVE-2019-10420CloudBees Jenkins Assembla Plugin 安全漏洞
CVE-2019-10424CloudBees Jenkins elOyente Plugin 安全漏洞
CVE-2019-10418CloudBees Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin 安全漏洞
CVE-2019-10417CloudBees Jenkins Kubernetes::Pipeline::Kubernetes Steps Plugin 安全漏洞
CVE-2019-10416CloudBees Jenkins Violation Comments to GitLab Plugin 安全漏洞
CVE-2019-10415CloudBees Jenkins Violation Comments to GitLab Plugin 安全漏洞

Showing top 20 of 30 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Jenkins
Same vendor: Jenkins project

V. Comments for CVE-2019-10405

No comments yet

Leave a comment