CVE-2015-5320: Jenkins allows Exposure of Sensitive Information to an Unauthorized Actor

May 13, 2022 (updated March 13, 2025)

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

References

access.redhat.com/errata/RHSA-2016:0070
github.com/advisories/GHSA-449q-v4j2-5h8p
github.com/jenkinsci/jenkins
nvd.nist.gov/vuln/detail/CVE-2015-5320
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Detect and mitigate CVE-2015-5320 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →