CVE-2015-5317
published 2015-11-25CVE-2015-5317: The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a…
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-06-02
Exploited in the wild
EPSS
22.43%
97.4th percentile
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins | <= 1.637 | — |
| jenkins | jenkins | <= 1.625.1 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| redhat | openshift | <= 3.1 | — |
| redhat | openshift | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect direct requests to Jenkins Fingerprints pages, which may indicate exploitation of the information disclosure vulnerability ↗
- →Monitor for unauthenticated or unauthorized access to Jenkins Fingerprints UI pages, which expose job and build names to users who should not have access ↗
- ·Vulnerability affects Jenkins versions before 1.638 (main line) and LTS before 1.625.2; ensure patched versions are deployed ↗
- ·Information disclosed is limited to job and build names; no direct control mechanism exists for users over what is revealed via Fingerprints pages ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Jenkins User Interface (UI) Information Disclosure Vulnerability
cisa·2023-05-12·CVSS 7.5
CVE-2015-5317 [HIGH] CWE-200 Jenkins User Interface (UI) Information Disclosure Vulnerability
Vulnerability: Jenkins User Interface (UI) Information Disclosure Vulnerability
Affected: Jenkins Jenkins User Interface (UI)
Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages.
Required Action: Apply updates per vendor instructions.
Notes: https://www.jenkins.io/security/advisory/2015-11-11/; https://nvd.nist.gov/vuln/detail/CVE-2015-5317
Remediation Due Date: 2023-06-02
Red Hat
jenkins: Project name disclosure via fingerprints (SECURITY-153)
vendor_redhat·2015-11-11·CVSS 7.5
CVE-2015-5317 [HIGH] jenkins: Project name disclosure via fingerprints (SECURITY-153)
jenkins: Project name disclosure via fingerprints (SECURITY-153)
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.
Jenkins
Jenkins Security Advisory 2015-11-11
vendor_jenkins·2015-11-11·CVSS 7.5
CVE-2014-3665 [HIGH] Jenkins Security Advisory 2015-11-11
Title: Jenkins Security Advisory 2015-11-11
Jenkins Security Advisory 2015-11-11
This advisory announces multiple vulnerabilities in Jenkins.
Description
Project name disclosure via fingerprints
SECURITY-153 / CVE-2015-5317
The Jenkins UI allowed users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages if those shared file fingerprints with fingerprinted files in accessible jobs.
Public value used for CSRF protection salt
SECURITY-169 / CVE-2015-5318
The salt used to generate the CSRF protection tokens was a publicly accessible value, allowing malicious users to circumvent CSRF protection by generating the correct token.
XXE injection into job configurations via CLI
SECURITY-173 / CVE-20
VulDB
CloudBees Jenkins up to 1.637 Fingerprints Pages information disclosure (RHSA-2016:0070 / ID 11549)
vuldb·2026-04-22·CVSS 7.5
CVE-2015-5317 [HIGH] CloudBees Jenkins up to 1.637 Fingerprints Pages information disclosure (RHSA-2016:0070 / ID 11549)
A vulnerability was found in CloudBees Jenkins up to 1.637. It has been rated as problematic. The impacted element is an unknown function of the component Fingerprints Pages. Performing a manipulation results in information disclosure.
This vulnerability is reported as CVE-2015-5317. The attack is possible to be carried out remotely. Moreover, an exploit is present.
Upgrading the affected component is advised.
OSV
Jenkins discloses project names via fingerprints
osv·2022-05-13
CVE-2015-5317 [HIGH] Jenkins discloses project names via fingerprints
Jenkins discloses project names via fingerprints
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.
GHSA
Jenkins discloses project names via fingerprints
ghsa·2022-05-13
CVE-2015-5317 [HIGH] CWE-200 Jenkins discloses project names via fingerprints
Jenkins discloses project names via fingerprints
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.
VulnCheck
Jenkins User Interface (UI) Information Disclosure Vulnerability
vulncheck·2015·CVSS 7.5
CVE-2015-5317 [HIGH] CWE-200 Jenkins User Interface (UI) Information Disclosure Vulnerability
Jenkins User Interface (UI) Information Disclosure Vulnerability
Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages.
Affected: Jenkins Jenkins User Interface (UI)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://thedfirreport.com/2023/12/18/lets-opendir-some-presents-an-analysis-of-a-persistent-actors-activity/; https://redalert.nshc.net/2024/03/19/activity-of-hacking-group-targeted-financial-industry-in-2023-kor/; https://redalert.nshc.net/2024/04/12/activity-of-hacking-group-targeted-financial-industry-in-2023-eng/
Remediat
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)
bugzilla·2015-11-16·CVSS 7.5
CVE-2015-5317 [HIGH] CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)
CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)
The following flaw was found in Jenkins:
The Jenkins UI allowed users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages if those shared file fingerprints with fingerprinted files in accessible jobs.
Users have no control over which information they see, and the kind of information revealed is very limited.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Discussion:
Fixed in Fedora in:
jenkins-1.609.3-3.fc22
jenkins-1.625.2-2.fc23
jenkins-1.625.2-2.fc24
---
This issue has been addressed in the following products:
RHEL 7 Version of OpenShift Enterprise 3.1
Via RHSA-2016:0070 https://access.redhat.com/err
Dfir Report
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
blogs_dfir_report·2023-12-18
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
http://rhn.redhat.com/errata/RHSA-2016-0489.htmlhttps://access.redhat.com/errata/RHSA-2016:0070https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11http://rhn.redhat.com/errata/RHSA-2016-0489.htmlhttps://access.redhat.com/errata/RHSA-2016:0070https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-5317
2015-11-25
Published
2023-05-12
Added to CISA KEV
Exploited in the wild