CVE-2019-10405

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.196 and earlier, LTS versions 2.176.3 and earlier

Description The issue allows attackers to obtain the HTTP session cookie, despite it being marked HttpOnly, by exploiting another XSS vulnerability and accessing the /whoAmI/ URL, which printed the value of the Cookie HTTP request header.

Recommendations For Jenkins versions 2.196 and earlier, and LTS versions 2.176.3 and earlier, update to a version that fixes this issue to prevent attackers from obtaining the HTTP session cookie. As a temporary workaround, consider restricting access to the /whoAmI/ URL until a patch is available. Avoid using the Cookie HTTP request header in the affected /whoAmI/ URL until the issue is resolved.