CVE-2015-5322: Path Traversal
First published: Mon Nov 16 2015(Updated: )
Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Jenkins | <1.638 | 1.638 |
| redhat/Jenkins | <1.625.2 | 1.625.2 |
| Red Hat OpenShift | <=3.1 | |
| Red Hat OpenShift | =2.0 | |
| Jenkins LTS | <=1.637 | |
| Jenkins LTS | <=1.625.1 | |
| maven/org.jenkins-ci.main:jenkins-core | <1.625.2 | 1.625.2 |
| maven/org.jenkins-ci.main:jenkins-core | >=1.626<1.638 | 1.638 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
- https://access.redhat.com/errata/RHSA-2016:0070
- https://rhn.redhat.com/errata/RHSA-2016-0489.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1282365
- http://rhn.redhat.com/errata/RHSA-2016-0489.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-5322
- https://github.com/jenkinsci/jenkins/commit/5431e397216b4ab80e58bdabcb06a0066bce6592
- https://github.com/advisories/GHSA-89vc-7frq-2rfj (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-5322?
CVE-2015-5322 has a medium severity rating as it allows directory traversal which can lead to unauthorized access to sensitive files.
How do I fix CVE-2015-5322?
To remediate CVE-2015-5322, upgrade Jenkins to version 1.638 or later, or to version 1.625.2 for LTS.
What kind of attacks can be performed using CVE-2015-5322?
Exploiting CVE-2015-5322 can allow attackers to list directory contents and read arbitrary files from the Jenkins server.
Which versions of Jenkins are affected by CVE-2015-5322?
Versions of Jenkins before 1.638 and LTS versions before 1.625.2 are vulnerable to CVE-2015-5322.
What components of Jenkins are impacted by CVE-2015-5322?
CVE-2015-5322 affects the Jenkins servlet resources accessed via the jnlpJars endpoint.
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-5322
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-89vc-7frq-2rfj
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- agent/source
- agent/tags
- collector/github-advisory
- package-manager/redhat
- vendor/redhat
- canonical/red hat openshift
- version/red hat openshift/3.1
- version/red hat openshift/2.0
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/1.637
- version/jenkins lts/1.625.1
- package-manager/maven