Vulnerability Description
Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Openshift | <= 3.1 |
| Jenkins | Jenkins | <= 1.637 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2016-0489.html
- https://access.redhat.com/errata/RHSA-2016:0070
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-1Vendor Advisory
- http://rhn.redhat.com/errata/RHSA-2016-0489.html
- https://access.redhat.com/errata/RHSA-2016:0070
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-1Vendor Advisory
FAQ
What is CVE-2015-5320?
CVE-2015-5320 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information...
How severe is CVE-2015-5320?
CVE-2015-5320 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-5320?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Openshift, Jenkins Jenkins.