1. Home
  2. CWE Database
  3. CWE-614
Variant · Low-Medium

CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

CWE-614 · Variant Level ·5 CVEs ·1 Mitigations

Description

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).
Bad
Cookie c = new Cookie(ACCOUNT_ID, acctID);response.addCookie(c);

Mitigations & Prevention

Implementation

Always set the secure attribute when the cookie should be sent via HTTPS only.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2024-47833python library for ML and data science does not use the Secure flag for session cookies
CVE-2004-0462A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
CVE-2008-3663A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie
CVE-2008-3662A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie
CVE-2008-0128A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

CWE-319: Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by...

Frequently Asked Questions

What is CWE-614?

CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The Secure attribute for sensitive cookies in HTTPS sessions is not set.

How can CWE-614 be exploited?

Attackers can exploit CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) to read application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-614?

Key mitigations include: Always set the secure attribute when the cookie should be sent via HTTPS only.

What is the severity of CWE-614?

CWE-614 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 5 real-world CVEs.