⚠ Actively exploited
Added to CISA KEV on 2023-05-12. Federal agencies required to patch by 2023-06-02. Required action: Apply updates per vendor instructions..

CVE-2015-5317Sensitive Information Exposure in Jenkins

CWE-200Sensitive Information Exposure9 documents9 sources
Severity
7.5HIGHNVD
EPSS
27.4%
top 3.58%
CISA KEV
KEV
Added 2023-05-12
Due 2023-06-02
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
JenkinsRedhat Openshift
Timeline
PublishedNov 25
KEV addedMay 12
KEV dueJun 2
CISA Required Action: Apply updates per vendor instructions.

Description

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDjenkins/jenkins1.637+1
NVDredhat/openshift3.1+1

🔴Vulnerability Details

4
OSV
Jenkins discloses project names via fingerprints2022-05-13
GHSA
Jenkins discloses project names via fingerprints2022-05-13
CVEList
CVE-2015-5317: The Fingerprints pages in Jenkins before 12015-11-25
VulnCheck
Jenkins User Interface (UI) Information Disclosure Vulnerability2015

📋Vendor Advisories

3
CISA
Jenkins User Interface (UI) Information Disclosure Vulnerability2023-05-12
Red Hat
jenkins: Project name disclosure via fingerprints (SECURITY-153)2015-11-11
Jenkins
Jenkins Security Advisory 2015-11-112015-11-11

💬Community

1
Bugzilla
CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)2015-11-16
CVE-2015-5317 — Sensitive Information Exposure | cvebase