CVE-2015-1814

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Published Bysecalert@redhat.com

Published DateOct 16, 2015, 20:59

Affected Versions(2)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced1.597

Fixed1.606

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed1.596.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	1.597	1.606	N/A
org.jenkins-ci.main:jenkins-core(Maven)	0	1.596.2	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL