CVE-2015-5325 — Improper Access Control in Jenkins

CWE-284 — Improper Access Control8 documents7 sources

Severity

7.5HIGHNVD

CNA6.8GHSA6.8OSV6.8

EPSS

0.1%

top 67.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift

Timeline

PublishedNov 25

Latest updateMay 13

Description

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDjenkins/jenkins1.625.1+1

▶NVDredhat/openshift3.1+1

🔴Vulnerability Details

OSV

Jenkins allows Bypass of Access Restrictions↗2022-05-13

▶

GHSA

Jenkins allows Bypass of Access Restrictions↗2022-05-13

▶

CVEList

CVE-2015-5325: Jenkins before 1↗2015-11-25

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2015-11-11↗2015-11-11

▶

Red Hat

jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)↗2015-11-11

▶

💬Community

Bugzilla

CVE-2015-5325 jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)↗2015-11-16

▶

Bugzilla

CVE-2011-5325 busybox: Path traversal via crafted tar file containing symlink↗2015-10-22

▶