CVE-2015-7539: Jenkins does not Verify Checksums for Plugin Files
(updated )
The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.
References
- access.redhat.com/errata/RHSA-2016:0070
- github.com/advisories/GHSA-x274-9m9r-fm5g
- github.com/jenkinsci/jenkins
- github.com/jenkinsci/jenkins/commit/11479a2cc0a322a6bcd7e65667f3d24aa4d444bb
- github.com/jenkinsci/jenkins/commit/97adb71aa4509f91e408a16ba312e817ec015cf4
- github.com/jenkinsci/jenkins/commit/9ec88357a354d8354728cc06e2b8c8b68aee58bf
- github.com/jenkinsci/jenkins/commit/c158648afa8888bc49ac337c973d4e4bc050118e
- github.com/jenkinsci/jenkins/commit/f99cb46e06f394637067730a82f46bddc3567295
- nvd.nist.gov/vuln/detail/CVE-2015-7539
- wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09
Detect and mitigate CVE-2015-7539 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →