Jenkins shows various technical information about the current user on the /whoAmI URL. The information shown includes HTTP request headers. This allowed attackers able to exploit another cross-site scripting vulnerability to obtain the Cookie header’s value even if the HttpOnly flag would prevent direct access via JavaScript. References: https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1505
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1764477]