CVE-2015-7539 — Insufficient Verification of Data Authenticity in Jenkins

CWE-345 — Insufficient Verification of Data Authenticity8 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 22.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Redhat Openshift

Timeline

PublishedFeb 3

Latest updateMay 13

Description

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDjenkins/jenkins1.639+1

▶NVDredhat/openshift2.0, 3.1+1

🔴Vulnerability Details

GHSA

Jenkins does not Verify Checksums for Plugin Files↗2022-05-13

▶

OSV

Jenkins does not Verify Checksums for Plugin Files↗2022-05-13

▶

CVEList

CVE-2015-7539: The Plugins Manager in Jenkins before 1↗2016-02-03

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2015-12-09↗2015-12-09

▶

Red Hat

jenkins: Jenkins plugin manager vulnerable to MITM attacks (SECURITY-234)↗2015-12-09

▶

💬Community

Bugzilla

CVE-2015-7536 CVE-2015-7537 CVE-2015-7538 CVE-2015-7539 jenkins: various flaws [fedora-all]↗2015-12-15

▶

Bugzilla

CVE-2015-7539 jenkins: Jenkins plugin manager vulnerable to MITM attacks (SECURITY-234)↗2015-12-15

▶