CVE-2015-7537 — Jenkins Vulnerable to Cross-Site Request Forgery (CSRF) Attack

Description

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

How to fix CVE-2015-7537

To remediate CVE-2015-7537, upgrade the affected package to a fixed version below.

—upgrade to 1.640 or later

Is CVE-2015-7537 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.626, < 1.640

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-7537
PATCHgithub.com/jenkinsci/jenkins
WEBrhn.redhat.com/errata/RHSA-2016-0489.html
WEBaccess.redhat.com/errata/RHSA-2016:0070
WEB