Cyber Resilience

CVE-2015-5317

HighCISA KEVActive ExploitationEUVD Exploited

Published: 25 November 2015

Published
25 November 2015
Modified
22 April 2026
KEV Added
12 May 2023
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3970 97.4th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-5317 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Jenkins Jenkins. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2015-5317 is an information exposure issue affecting the Fingerprints pages in Jenkins versions prior to 1.638 and LTS versions prior to 1.625.2. It is classified under CWE-200 with a CVSS score of 7.5, indicating a network-accessible flaw without authentication requirements that impacts confidentiality.

Remote attackers can exploit this by making direct requests to the affected pages, potentially obtaining sensitive details about job and build names without any user interaction or privileges.

Advisories from Jenkins and Red Hat, including the Jenkins Security Advisory 2015-11-11 and RHSA-2016-0489, recommend applying patches to update to the fixed versions to mitigate the exposure.

EU & UK References

Vulnerability details

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

CWE(s)
KEV Date Added
12 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
jenkins
≤ 1.637 · ≤ 1.625.1
redhat
openshift
2.0 · ≤ 3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the Fingerprints pages so that unauthenticated remote requests cannot retrieve sensitive job and build names.

prevent

Requires prompt application of the Jenkins patches (1.638 / 1.625.2) that close the information-exposure flaw.

prevent

Limits the privileges granted to anonymous or low-trust subjects, reducing the chance they can reach the unprotected Fingerprints endpoints.

References