CVE-2015-5317
Published: 25 November 2015
Summary
CVE-2015-5317 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Jenkins Jenkins. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2015-5317 is an information exposure issue affecting the Fingerprints pages in Jenkins versions prior to 1.638 and LTS versions prior to 1.625.2. It is classified under CWE-200 with a CVSS score of 7.5, indicating a network-accessible flaw without authentication requirements that impacts confidentiality.
Remote attackers can exploit this by making direct requests to the affected pages, potentially obtaining sensitive details about job and build names without any user interaction or privileges.
Advisories from Jenkins and Red Hat, including the Jenkins Security Advisory 2015-11-11 and RHSA-2016-0489, recommend applying patches to update to the fixed versions to mitigate the exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-5288
Vulnerability details
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.
- CWE(s)
- KEV Date Added
- 12 May 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the Fingerprints pages so that unauthenticated remote requests cannot retrieve sensitive job and build names.
Requires prompt application of the Jenkins patches (1.638 / 1.625.2) that close the information-exposure flaw.
Limits the privileges granted to anonymous or low-trust subjects, reducing the chance they can reach the unprotected Fingerprints endpoints.