CVE-2015-1814 — Incorrect Privilege Assignment in Jenkins

CWE-264 CWE-266 — Incorrect Privilege Assignment CWE-284 — Improper Access Control8 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 52.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift

Timeline

PublishedOct 16

Latest updateMay 17

Description

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDjenkins/jenkins1.605+1

▶NVDredhat/openshift3.1

🔴Vulnerability Details

OSV

Jenkins allows for Privilege Escalation by Remote Authenticated Users↗2022-05-17

▶

GHSA

Jenkins allows for Privilege Escalation by Remote Authenticated Users↗2022-05-17

▶

CVEList

CVE-2015-1814: The API token-issuing service in Jenkins before 1↗2015-10-16

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2015-03-23↗2015-03-23

▶

Red Hat

jenkins: forced API token change (SECURITY-180)↗2015-03-23

▶

💬Community

Bugzilla

CVE-2015-1806 CVE-2015-1807 CVE-2015-1813 CVE-2015-1812 CVE-2015-1811 CVE-2015-1810 CVE-2015-1808 CVE-2015-1809 CVE-2015-1814 jenkins: various flaws [fedora-all]↗2015-03-25

▶

Bugzilla

CVE-2015-1814 jenkins: forced API token change (SECURITY-180)↗2015-03-25

▶