Jenkins - Security Vulnerability

[mohan reddy]

Hi Team,

I was hoping that you would put me in the correct direction. I have reached out to support team who work on Jira tickets (https://issues.jenkins-ci.org/browse/SECURITY-880) but no luck.

We'd like to enable the secure flag on session ID's and any help that would provide is greatly appreciated.

Below, is the info:

In secure HTTPS applications, cookies must have the “Secure” flag set. The “Secure” flag informs browsers that a cookie should only be sent on connections that are encrypted with SSL.

Without the “secure” flag, the non-encrypted HTTP domain for the application receives same-origin access to cookies set by the secure HTTPS domain; browsers will send unencrypted plaintext copies of cookies without the “secure” flag.

Because any attacker on the Internet can fake the non-encrypted HTTP domain (it’s the encryption provided by TLS in HTTPS that prevents that from happening), and because cookies usually form the core of the authentication and authorization model of a web application, failing to set the “Secure” flag negates much of the security provided by SSL.

RECOMMENDATION: Consult framework documentation to set the “Secure” flag on the cookie. Setting the “Secure” flag is usually simple; the framework may have a configuration setting that ensures all cookies are “Secure”, almost always provides a configuration option to ensure the Session cookie is “Secure”, and will usually offer the “Secure” flag as an option on the line of code that creates any given cookie. 

[mohan reddy]

Hi All,

I just want to know if we have any thing can be done to bring this to closure.

Any help that you provide is greatly appreciated.

-Mohan