Description
Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0489.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:0070
Vendor Advisory x_refsource_confirm
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
Scores
EPSS
0.0149
EPSS Percentile
71.2%
Details
CWE
CWE-264
Status
published
Products (5)
jenkins/jenkins
< 1.625.1
jenkins/jenkins
< 1.637
org.jenkins-ci.main/jenkins-core
0 - 1.625.2Maven
redhat/openshift
2.0
redhat/openshift
< 3.1
Published
Nov 25, 2015
Tracked Since
Feb 18, 2026