-
Improvement
-
Resolution: Won't Fix
-
Major
-
None
Jenkins version information is available via these headers.
$ curl --head http://localhost:8080/ HTTP/1.1 200 OK X-Content-Type-Options: nosniff Cache-Control: no-cache,no-store,must-revalidate X-Hudson-Theme: default Content-Type: text/html;charset=UTF-8 Set-Cookie: JSESSIONID.e1a19b4b=1gfm5fw8eis821xv28jzelg745;Path=/;HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Hudson: 1.395 X-Jenkins: 1.625 X-Jenkins-Session: 786ba6b1 X-Frame-Options: sameorigin X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhbOS0Es16jqr0KkNm8mqCHqs0rgTjvpA/gKkPE5Nii0xr6Z0TL08EEGdtns+Tufwk3kSb1fFH/+H1CxEJya2H4gwNcklRt5iB4f1Sfxt9HZ5/MkvCwpuGcVbsJqQaTYWVb7e2/Hcf1+Zh+zDpQCTJ8L5QrttoT80CMypF9Jo4JklUbi1lGjxSY2duN++0Gl10+jAmmouy0KqmeYM4HD/uUS+C2aM0Dlma1X/vSsIcjMeF70YKeA1FuI45uEqsfJSe1+rPknoCC6F2C3ZqcyhSnVP5Vh+5ijdNx1cvkb9JWiY6cmt9IWPI2sBpZB3qOwBrc2ty81anerf8kCFrW3ALQIDAQAB Content-Length: 11381 Server: Jetty(winstone-2.8)
X-Hudson usages in jenkins:
- https://github.com/jenkinsci/jenkins/blob/eddb8d460935c8deca57c31e7e01602d5f10d9cb/core/src/main/java/hudson/Main.java#L107
- https://github.com/jenkinsci/jenkins/blob/9fce1ee933eb5276baff977d562fc8e183f1c8d6/core/src/main/java/hudson/util/FormFieldValidator.java#L337
- https://github.com/jenkinsci/jenkins/blob/eddb8d460935c8deca57c31e7e01602d5f10d9cb/cli/src/main/java/hudson/cli/CLI.java#L327
X-Jenkins usage in jenkins:
Issue:
The application reveals details of the current server implementation in each HTTP response back to the user. An attacker can use this information to find out known vulnerabilities in the current implementation and run more attacks against the application to obtain un-authorized access.