CVE-2015-5323: Jenkins allows Administrators to Access API Tokens

May 13, 2022 (updated March 13, 2025)

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

References

access.redhat.com/errata/RHSA-2016:0070
github.com/advisories/GHSA-x4m5-j4x4-4wjg
github.com/jenkinsci/jenkins
github.com/jenkinsci/jenkins/commit/b3f16489ad5f15c3e749ed066cf6b4251f6668c6
nvd.nist.gov/vuln/detail/CVE-2015-5323
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11

Detect and mitigate CVE-2015-5323 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →