CVE-2015-5318

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Published Bysecalert@redhat.com

Published DateNov 25, 2015, 20:59

Affected Versions(2)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed1.625.2

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced1.626

Fixed1.638

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	0	1.625.2	N/A
org.jenkins-ci.main:jenkins-core(Maven)	1.626	1.638	N/A

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL