What is CVE-2019-10405?

CVE-2019-10405 is a vulnerability in Jenkins Project. Published 2019-09-25.

Is CVE-2019-10405 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Jenkins Project

CVE-2019-10405

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked…

EPSS: 0.823 (99.2th percentile) — read the EPSS interpretation.

Affected products

Jenkins Project — versions 2.196 and earlier, LTS 2.176.3 and earlier

Public proof-of-concept exploits

20142995/nuclei-templates
ARPSyndicate/cve-scores
ARPSyndicate/kenzer-templates

References

jenkins.io/security/advisory/2019-09-25/ (x_refsource_CONFIRM)
[oss-security] 20190925 Multiple vulnerabilities in Jenkins and Jenkins plugins (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-10405?: CVE-2019-10405 is a vulnerability in Jenkins Project. Published 2019-09-25.
Is CVE-2019-10405 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.