CVE-2019-10405 PoC — CloudBees Jenkins和LTS 信息泄露漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-10405.yaml

Associated Vulnerability

Title:CloudBees Jenkins和LTS 信息泄露漏洞 (CVE-2019-10405)
Description:CloudBees Jenkins（Hudson Labs）是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。LTS是CloudBeesJenkins的一个长期支持版本。 CloudBees Jenkins 2.196及之前版本和LTS 2.176.3及之前版本中存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。

Description

Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue.

File Snapshot


 id: CVE-2019-10405

info:
  name: Jenkins <=2.196 - Cookie Exposure
  author: c-sh0
  severity: medi

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!