CVE-2015-7539 — Jenkins does not Verify Checksums for Plugin Files

Description

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

How to fix CVE-2015-7539

To remediate CVE-2015-7539, upgrade the affected package to a fixed version below.

—upgrade to 1.625.2 or later

Is CVE-2015-7539 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.625.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-7539
PATCHgithub.com/jenkinsci/jenkins
WEBrhn.redhat.com/errata/RHSA-2016-0489.html
WEBaccess.redhat.com/errata/RHSA-2016:0070
WEB