CVE-2015-1806 — Jenkins allows for Privilege Escalation by Remote Authenticated Users

Description

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

How to fix CVE-2015-1806

To remediate CVE-2015-1806, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.main:jenkins-core—upgrade to 1.600 or later

Is CVE-2015-1806 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.597, < 1.600

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1806
PATCHgithub.com/jenkinsci/jenkins
WEBrhn.redhat.com/errata/RHSA-2015-1844.html
WEBaccess.redhat.com/errata/RHSA-2016:0070
WEBbugzilla.redhat.com