CVE-2015-5318Cross-Site Request Forgery in Jenkins

CWE-352Cross-Site Request Forgery7 documents7 sources
Severity
6.8MEDIUMNVD
EPSS
0.1%
top 81.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
JenkinsRedhat Openshift
Timeline
PublishedNov 25
Latest updateMay 13

Description

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

NVDjenkins/jenkins1.637+1
NVDredhat/openshift3.1+1

🔴Vulnerability Details

3
OSV
Jenkins Vulnerable to Cross-Site Request Forgery (CSRF) Attack2022-05-13
GHSA
Jenkins Vulnerable to Cross-Site Request Forgery (CSRF) Attack2022-05-13
CVEList
CVE-2015-5318: Jenkins before 12015-11-25

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2015-11-112015-11-11
Red Hat
jenkins: Public value used for CSRF protection salt (SECURITY-169)2015-11-11

💬Community

1
Bugzilla
CVE-2015-5318 jenkins: Public value used for CSRF protection salt (SECURITY-169)2015-11-16
CVE-2015-5318 — Cross-Site Request Forgery in Jenkins | cvebase