CVE-2015-5323 — Jenkins allows Administrators to Access API Tokens

Description

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

How to fix CVE-2015-5323

To remediate CVE-2015-5323, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.main:jenkins-core—upgrade to 1.625.2 or later

Is CVE-2015-5323 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.625.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-5323
PATCHgithub.com/jenkinsci/jenkins
WEBrhn.redhat.com/errata/RHSA-2016-0489.html
WEBaccess.redhat.com/errata/RHSA-2016:0070
WEB