Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.Referenceshttp://www.openwall.com/lists/oss-security/2015/01/22/3https://issues.jenkins-ci.org/browse/JENKINS-25019https://bugzilla.redhat.com/show_bug.cgi?id=1185151https://jenkins.io/changelog-old/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710http://www.securityfocus.com/bid/72054
