Security context
Medium· 4.3GHSA-47wc-p5cp-w7pw CVE-2019-10405CWE-200CWE-79Published May 24, 2022

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.176.42.177 → fixed in 2.197

Details

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

The fix

[SECURITY-1505]

Wadeck Follonier· Sep 10, 2019, 06:27 PM+2010560ee832b4
core/src/main/resources/hudson/security/WhoAmI/index.jelly+20 10
@@ -74,18 +74,28 @@ THE SOFTWARE.
<h2>Request Headers</h2>
<table>
<j:forEach var="n" items="${request.getHeaderNames()}">
- <j:set var="values" value="${h.getRequestHeaders(n)}"/>
- <tr>
- <td rowspan="${values.size()}">${n}</td>
- <td>
- ${values[0]}
- </td>
- </tr>
- <j:forEach var="v" items="${values.subList(1,values.size())}">
+ <j:if test="${n.equalsIgnoreCase('Cookie')}">
<tr>
- <td>${v}</td>
+ <td rowspan="1">${n}</td>
+ <td>
+ <i>(redacted for security reasons)</i>
+ </td>
</tr>
- </j:forEach>
+ </j:if>
+ <j:if test="${!n.equalsIgnoreCase('Cookie')}">
+ <j:set var="values" value="${h.getRequestHeaders(n)}"/>
+ <tr>
+ <td rowspan="${values.size()}">${n}</td>
+ <td>
+ ${values[0]}
+ </td>
+ </tr>
+ <j:forEach var="v" items="${values.subList(1,values.size())}">
+ <tr>
+ <td>${v}</td>
+ </tr>
+ </j:forEach>
+ </j:if>
</j:forEach>
</table>
</l:main-panel>

References