CVE-2015-7539 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2015-7539

CVE-2015-7539

February 03, 2016

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Affected Packages

org.jenkins-ci.main:jenkins-core (JAVA):

Affected version(s) >=1.626 <1.640

Fix Suggestion:

Update to version 1.640

org.jenkins-ci.main:jenkins-core (JAVA):

Affected version(s) >=1.396 <1.625.2

Fix Suggestion:

Update to version 1.625.2

Related Resources (10)

https://github.com/jenkinsci/jenkins/commit/f99cb46e06f394637067730a82f46bddc3567295

https://github.com/jenkinsci/jenkins

https://github.com/jenkinsci/jenkins/commit/c158648afa8888bc49ac337c973d4e4bc050118e

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09

https://github.com/jenkinsci/jenkins/commit/9ec88357a354d8354728cc06e2b8c8b68aee58bf

http://rhn.redhat.com/errata/RHSA-2016-0489.html

https://nvd.nist.gov/vuln/detail/CVE-2015-7539

https://github.com/jenkinsci/jenkins/commit/97adb71aa4509f91e408a16ba312e817ec015cf4

https://access.redhat.com/errata/RHSA-2016:0070

https://github.com/jenkinsci/jenkins/commit/11479a2cc0a322a6bcd7e65667f3d24aa4d444bb

Do you need more information?

CVSS v4

Base Score:

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

7.6

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

Weakness Type (CWE)

Insufficient Verification of Data Authenticity

CWE-345

EPSS

Base Score:

1.04

Products

Solutions

Resources

Company

Compare

Developer Tools