CVE-2015-5320 — Sensitive Information Exposure in Jenkins

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.2%

top 56.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift

Timeline

PublishedNov 25

Latest updateMay 13

Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDjenkins/jenkins1.637+1

▶NVDredhat/openshift3.1+1

🔴Vulnerability Details

GHSA

Jenkins allows Exposure of Sensitive Information to an Unauthorized Actor↗2022-05-13

▶

OSV

Jenkins allows Exposure of Sensitive Information to an Unauthorized Actor↗2022-05-13

▶

CVEList

CVE-2015-5320: Jenkins before 1↗2015-11-25

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2015-11-11↗2015-11-11

▶

Red Hat

jenkins: Secret key not verified when connecting a slave (SECURITY-184)↗2015-11-11

▶

💬Community

Bugzilla

CVE-2015-5320 jenkins: Secret key not verified when connecting a slave (SECURITY-184)↗2015-11-16

▶

Bugzilla

CVE-2011-5320 glibc: scanf implementation crashes on certain inputs↗2015-02-26

▶