Vulnerability-Lookup

WID-SEC-W-2023-1215

Vulnerability from csaf_certbund - Published: 2015-11-11 23:00 - Updated: 2023-05-14 22:00

Summary

Jenkins: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterstützung bei Softwareentwicklungen aller Art.

Angriff: Ein entfernter, anonymer oder angemeldeter Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um Sicherheitsfunktionen zu umgehen, einen "stored cross-site-scripting"-Angriff durchzuführen, Benutzerrechte zu erlangen und um Informationen offenzulegen.

Betroffene Betriebssysteme: - UNIX - Linux - Windows

CVE-2015-5317

In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen "stored cross-site-scripting"-Angriff durchzuführen, Benutzerrechte zu erlangen und um Informationen offenzulegen.

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-5318

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-5319

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-5320

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-5321

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-5322

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-5323

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-5324

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-5325

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-5326

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

CVE-2015-8103

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Red Hat OpenShift Enterprise Red Hat	`cpe:/a:redhat:openshift:::enterprise`	—

References

6 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.cisa.gov/known-exploited-vulnerabilit…	external
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	external
https://access.redhat.com/errata/RHSA-2016:0070	external
https://rhn.redhat.com/errata/RHSA-2016-0489.html	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterst\u00fctzung bei Softwareentwicklungen aller Art.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder angemeldeter Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-1215 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2015/wid-sec-w-2023-1215.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-1215 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1215"
      },
      {
        "category": "external",
        "summary": "CISA Known Exploited Vulnerabilities Catalog vom 2023-05-14",
        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
      },
      {
        "category": "external",
        "summary": "Jenkins Security Advisory vom 2015-11-11",
        "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:0070 vom 2016-01-27",
        "url": "https://access.redhat.com/errata/RHSA-2016:0070"
      },
      {
        "category": "external",
        "summary": "RedHat Security Advisory RHSA-2016-0489",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-0489.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Jenkins: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-05-14T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:50:53.264+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-1215",
      "initial_release_date": "2015-11-11T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2015-11-11T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initial Release"
        },
        {
          "date": "2015-11-11T23:00:00.000+00:00",
          "number": "2",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2015-11-11T23:00:00.000+00:00",
          "number": "3",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-01-26T23:00:00.000+00:00",
          "number": "4",
          "summary": "New remediations available"
        },
        {
          "date": "2016-01-26T23:00:00.000+00:00",
          "number": "5",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-03-22T23:00:00.000+00:00",
          "number": "6",
          "summary": "New remediations available"
        },
        {
          "date": "2016-03-22T23:00:00.000+00:00",
          "number": "7",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2023-05-14T22:00:00.000+00:00",
          "number": "8",
          "summary": "Exploit-Hinweis f\u00fcr CVE-2015-5317 aufgenommen"
        }
      ],
      "status": "final",
      "version": "8"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Jenkins Jenkins \u003c 1.638",
                "product": {
                  "name": "Jenkins Jenkins \u003c 1.638",
                  "product_id": "T006418",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:1.638"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Jenkins Jenkins \u003c 1.625.2 LTS",
                "product": {
                  "name": "Jenkins Jenkins \u003c 1.625.2 LTS",
                  "product_id": "T006419",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:1.625.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Jenkins"
          }
        ],
        "category": "vendor",
        "name": "Jenkins"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat OpenShift Enterprise",
            "product": {
              "name": "Red Hat OpenShift Enterprise",
              "product_id": "T000393",
              "product_identification_helper": {
                "cpe": "cpe:/a:redhat:openshift:::enterprise"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2015-5317",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5317"
    },
    {
      "cve": "CVE-2015-5318",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5318"
    },
    {
      "cve": "CVE-2015-5319",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5319"
    },
    {
      "cve": "CVE-2015-5320",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5320"
    },
    {
      "cve": "CVE-2015-5321",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5321"
    },
    {
      "cve": "CVE-2015-5322",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5322"
    },
    {
      "cve": "CVE-2015-5323",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5323"
    },
    {
      "cve": "CVE-2015-5324",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5324"
    },
    {
      "cve": "CVE-2015-5325",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5325"
    },
    {
      "cve": "CVE-2015-5326",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-5326"
    },
    {
      "cve": "CVE-2015-8103",
      "notes": [
        {
          "category": "description",
          "text": "In Jenkins existieren mehrere Schwachstellen. Ein anonymer, entfernter bzw. angemeldeter Angreifer kann diese Schwachstellen nutzen, um Sicherheitsfunktionen zu umgehen, einen \"stored cross-site-scripting\"-Angriff durchzuf\u00fchren, Benutzerrechte zu erlangen und um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T000393"
        ]
      },
      "release_date": "2015-11-11T23:00:00.000+00:00",
      "title": "CVE-2015-8103"
    }
  ]
}

CVE-2015-5323 (GCVE-0-2015-5323)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41

Summary

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.554Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-09T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5323",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5323",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:41:09.554Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-5324 (GCVE-0-2015-5324)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41

Summary

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.544Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-07T19:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5324",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5324",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:41:09.544Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-5318 (GCVE-0-2015-5318)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41

Summary

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.332Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-09T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5318",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5318",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:41:09.332Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-5326 (GCVE-0-2015-5326)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41

Summary

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.293Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-09T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5326",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5326",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:41:09.293Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-5319 (GCVE-0-2015-5319)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41

Summary

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.531Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an \"XML-aware tool,\" as demonstrated by get-job and update-job."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-09T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5319",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an \"XML-aware tool,\" as demonstrated by get-job and update-job."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5319",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:41:09.531Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-5317 (GCVE-0-2015-5317)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2025-10-21 23:55

Summary

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.278Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2015-5317",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-07T13:39:09.671765Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-05-12",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-5317"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-200",
                "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:55:56.897Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-5317"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2023-05-12T00:00:00.000Z",
            "value": "CVE-2015-5317 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-09T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5317",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5317",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:55:56.897Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-5320 (GCVE-0-2015-5320)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41

Summary

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.291Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-09T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5320",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5320",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:41:09.291Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-5325 (GCVE-0-2015-5325)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41

Summary

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.530Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-09T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5325",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5325",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:41:09.530Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-8103 (GCVE-0-2015-8103)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 08:13

Summary

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

12 references

URL	Tags
http://packetstormsecurity.com/files/134805/Jenki…	x_refsource_MISC
https://jenkins-ci.org/content/mitigating-unauthe…	x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2015/1…	mailing-listx_refsource_MLIST
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
http://www.securityfocus.com/bid/77636	vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2015/1…	mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://www.exploit-db.com/exploits/38983/	exploitx_refsource_EXPLOIT-DB
http://foxglovesecurity.com/2015/11/06/what-do-we…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2015/11/09/5	mailing-listx_refsource_MLIST
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2015/11/18/2	mailing-listx_refsource_MLIST

Date Public ?

2015-11-06 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T08:13:31.034Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli"
          },
          {
            "name": "[oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2015/11/18/13"
          },
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "77636",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/77636"
          },
          {
            "name": "[oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2015/11/18/11"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "name": "38983",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/38983/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins"
          },
          {
            "name": "[oss-security] 20151109 CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2015/11/09/5"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          },
          {
            "name": "[oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2015/11/18/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the \"Groovy variant in \u0027ysoserial\u0027\"."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-05T20:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli"
        },
        {
          "name": "[oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2015/11/18/13"
        },
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "77636",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/77636"
        },
        {
          "name": "[oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2015/11/18/11"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "name": "38983",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/38983/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins"
        },
        {
          "name": "[oss-security] 20151109 CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2015/11/09/5"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        },
        {
          "name": "[oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2015/11/18/2"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-8103",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the \"Groovy variant in \u0027ysoserial\u0027\"."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/134805/Jenkins-CLI-RMI-Java-Deserialization.html"
            },
            {
              "name": "https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli",
              "refsource": "CONFIRM",
              "url": "https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli"
            },
            {
              "name": "[oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2015/11/18/13"
            },
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "77636",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/77636"
            },
            {
              "name": "[oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2015/11/18/11"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "38983",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/38983/"
            },
            {
              "name": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins",
              "refsource": "MISC",
              "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#jenkins"
            },
            {
              "name": "[oss-security] 20151109 CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2015/11/09/5"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            },
            {
              "name": "[oss-security] 20151118 Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2015/11/18/2"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-8103",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-11-09T00:00:00.000Z",
    "dateUpdated": "2024-08-06T08:13:31.034Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-5321 (GCVE-0-2015-5321)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41

Summary

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.341Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-09T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5321",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5321",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:41:09.341Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-5322 (GCVE-0-2015-5322)

Vulnerability from cvelistv5 – Published: 2015-11-25 20:00 – Updated: 2024-08-06 06:41

Summary

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

3 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2016-0489.html	vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2016:0070	vendor-advisoryx_refsource_REDHAT
https://wiki.jenkins-ci.org/display/SECURITY/Jenk…	x_refsource_CONFIRM

Date Public ?

2015-11-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:41:09.367Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2016:0489",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
          },
          {
            "name": "RHSA-2016:0070",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:0070"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-06-09T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2016:0489",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
        },
        {
          "name": "RHSA-2016:0070",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:0070"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5322",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2016:0489",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
            },
            {
              "name": "RHSA-2016:0070",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:0070"
            },
            {
              "name": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11",
              "refsource": "CONFIRM",
              "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2015-5322",
    "datePublished": "2015-11-25T20:00:00.000Z",
    "dateReserved": "2015-07-01T00:00:00.000Z",
    "dateUpdated": "2024-08-06T06:41:09.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2023-1215

CVE-2015-5323 (GCVE-0-2015-5323)

CVE-2015-5324 (GCVE-0-2015-5324)

CVE-2015-5318 (GCVE-0-2015-5318)

CVE-2015-5326 (GCVE-0-2015-5326)

CVE-2015-5319 (GCVE-0-2015-5319)

CVE-2015-5317 (GCVE-0-2015-5317)

CVE-2015-5320 (GCVE-0-2015-5320)

CVE-2015-5325 (GCVE-0-2015-5325)

CVE-2015-8103 (GCVE-0-2015-8103)

CVE-2015-5321 (GCVE-0-2015-5321)

CVE-2015-5322 (GCVE-0-2015-5322)

Tags

Sightings

Nomenclature