CVE-2015-5323 — Insufficiently Protected Credentials in Jenkins

CWE-264 CWE-522 — Insufficiently Protected Credentials7 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 57.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift

Timeline

PublishedNov 25

Latest updateMay 13

Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶NVDjenkins/jenkins1.625.1+1

▶NVDredhat/openshift3.1+1

🔴Vulnerability Details

GHSA

Jenkins allows Administrators to Access API Tokens↗2022-05-13

▶

OSV

Jenkins allows Administrators to Access API Tokens↗2022-05-13

▶

CVEList

CVE-2015-5323: Jenkins before 1↗2015-11-25

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2015-11-11↗2015-11-11

▶

Red Hat

jenkins: API tokens of other users available to admins (SECURITY-200)↗2015-11-11

▶

💬Community

Bugzilla

CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)↗2015-11-16

▶