Description
Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0489.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:0070
Vendor Advisory x_refsource_confirm
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Scores
EPSS
0.0016
EPSS Percentile
37.1%
Details
CWE
CWE-264
Status
published
Products (5)
jenkins/jenkins
< 1.625.1
jenkins/jenkins
< 1.637
org.jenkins-ci.main/jenkins-core
0 - 1.625.2Maven
redhat/openshift
2.0
redhat/openshift
< 3.1
Published
Nov 25, 2015
Tracked Since
Feb 18, 2026