7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.394 Low
EPSS
Percentile
96.9%
The Jenkins UI allowed users to see the names of jobs and builds
otherwise inaccessible to them on the "Fingerprints" pages if those
shared file fingerprints with fingerprinted files in accessible jobs.
The salt used to generate the CSRF protection tokens was a publicly
accessible value, allowing malicious users to circumvent CSRF protection
by generating the correct token.
When creating a job using the create-job CLI command, external entities
are not discarded (nor processed). If these job configurations are
processed by another user with an XML-aware tool (e.g. using
get-job/update-job), information from that user’s computer may be
disclosed to Jenkins and the attacker.
JNLP slave connections did not verify that the correct secret was
supplied, which allowed malicious users to connect their own machines as
slaves to Jenkins knowing only the name of the slave. This enables
attackers to take over Jenkins (unless the slave-to-master security
subsystem is enabled) or gain access to private data like keys and
source code.
The CLI command overview and help pages in Jenkins were accessible
without Overall/Read permission, resulting in disclosure of the names of
configured slaves (and contents of other sidepanel widgets, if present)
to unauthorized users.
Access to the /jnlpJars/ URL was not limited to the specific JAR files
users needed to access, allowing browsing directories and downloading
other files in the Jenkins servlet resources, such as web.xml.
API tokens of other users were exposed to admins by default. On
instances that don’t implicitly grant RunScripts permission to admins,
this allowed admins to run scripts with another user’s credentials.
The /queue/api URL could return information about items not accessible
to the current user (such as parameter names and values, build names,
project descriptions).
Slaves connecting via JNLP were not subject to the optional
slave-to-master access control documented at
<a href=“http://jenkins-ci.org/security-144”>http://jenkins-ci.org/security-144</a> (CVE-2014-3665).
Users with the permission to take slave nodes offline can enter
arbitrary HTML that gets shown unescaped to users visiting the slave
overview page.
Unsafe deserialization allows unauthenticated remote attackers to run
arbitrary code on the Jenkins master.
access.redhat.com/security/cve/CVE-2015-5317
access.redhat.com/security/cve/CVE-2015-5318
access.redhat.com/security/cve/CVE-2015-5319
access.redhat.com/security/cve/CVE-2015-5320
access.redhat.com/security/cve/CVE-2015-5321
access.redhat.com/security/cve/CVE-2015-5322
access.redhat.com/security/cve/CVE-2015-5323
access.redhat.com/security/cve/CVE-2015-5324
access.redhat.com/security/cve/CVE-2015-5325
access.redhat.com/security/cve/CVE-2015-5326
access.redhat.com/security/cve/CVE-2015-8103
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11