Description
Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0489.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:0070
Vendor Advisory x_refsource_confirm
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Scores
EPSS
0.0012
EPSS Percentile
30.5%
Details
CWE
CWE-200
Status
published
Products (5)
jenkins/jenkins
< 1.625.1
jenkins/jenkins
< 1.637
org.jenkins-ci.main/jenkins-core
1.626 - 1.638Maven
redhat/openshift
2.0
redhat/openshift
< 3.1
Published
Nov 25, 2015
Tracked Since
Feb 18, 2026