CVE-2015-5317

Jenkins User Interface (UI) Information Disclosure Vulnerability

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Las páginas Fingerprints en Jenkins en versiones anteriores a 1.638 y LTS en versiones anteriores a 1.625.2 podrían permitir a atacantes remotos obtener trabajo sensible y construir la información de nombre a través de una petición directa.

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service solution designed for on-premise or private cloud deployments. The following security issues are addressed with this release: An authorization flaw was discovered in Kubernetes; the API server did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to gain additional access to resources such as RAM and disk space.

Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2015-07-01 CVE Reserved
2015-11-25 CVE Published
2023-05-12 Exploited in Wild
2023-06-02 KEV Due Date
2025-02-07 CVE Updated
2025-03-30 EPSS Updated
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2016-0489.html	2019-12-17
https://access.redhat.com/errata/RHSA-2016:0070	2019-12-17
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11	2019-12-17
https://access.redhat.com/security/cve/CVE-2015-5317	2016-03-22
https://bugzilla.redhat.com/show_bug.cgi?id=1282359	2016-03-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Jenkins Search vendor "Jenkins"		Jenkins Search vendor "Jenkins" for product "Jenkins"				<= 1.637 Search vendor "Jenkins" for product "Jenkins" and version " <= 1.637"		-		Affected
Jenkins Search vendor "Jenkins"		Jenkins Search vendor "Jenkins" for product "Jenkins"				<= 1.625.1 Search vendor "Jenkins" for product "Jenkins" and version " <= 1.625.1"		lts		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				2.0 Search vendor "Redhat" for product "Openshift" and version "2.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				<= 3.1 Search vendor "Redhat" for product "Openshift" and version " <= 3.1"		enterprise		Affected