CVE-2015-5317 in Jenkinsinfo

Summary

by MITRE

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/22/2026

The vulnerability described in CVE-2015-5317 represents a critical information disclosure issue within the CloudBees Jenkins continuous integration platform. This flaw exists in the Fingerprints functionality, which is designed to track and manage build artifacts and their relationships within the Jenkins ecosystem. The vulnerability affects Jenkins versions prior to 1.638 for regular releases and 1.625.2 for Long Term Support versions, indicating a significant window of exposure for organizations using affected Jenkins installations. The security issue stems from inadequate access controls within the Fingerprints pages, which should normally be restricted to authorized users with appropriate permissions.

The technical exploitation of this vulnerability occurs through direct HTTP requests to specific endpoints within the Jenkins web interface. Attackers can craft malicious requests that bypass normal authentication mechanisms and directly access the Fingerprints pages, thereby obtaining sensitive information about job configurations and build names. This information disclosure represents a significant risk as job names and build details often contain proprietary project information, system architecture details, and potential attack vectors that could be leveraged in subsequent attacks. The vulnerability is classified under CWE-200, which specifically addresses "Information Exposure," and aligns with ATT&CK technique T1213.001 for "Data from Information Repositories" where adversaries gather information about systems and processes.

The operational impact of this vulnerability extends beyond simple information disclosure, as the leaked job and build name information can provide attackers with valuable reconnaissance data for planning more sophisticated attacks. Jenkins job names often contain meaningful information about project structure, development environments, and system components, making this intelligence particularly valuable for threat actors. The vulnerability essentially undermines the principle of least privilege by allowing unauthorized access to internal system metadata that should remain confidential. Organizations using Jenkins for sensitive development workloads face heightened risk of supply chain attacks, competitive intelligence gathering, and targeted exploitation attempts. The exposure of build information could reveal version control strategies, deployment patterns, and internal development practices that adversaries could exploit.

Mitigation strategies for CVE-2015-5317 primarily focus on immediate version upgrades to Jenkins 1.638 or LTS 1.625.2, which contain the necessary patches to address the access control flaw. Organizations should also implement network-level restrictions to limit access to Jenkins interfaces, particularly in environments where untrusted users might have network access. Additional controls include enforcing strong authentication mechanisms, implementing proper role-based access controls, and regularly auditing Jenkins configurations for unauthorized modifications. Security teams should conduct comprehensive vulnerability assessments to identify any other potential information disclosure issues within their Jenkins installations and related CI/CD pipelines. The remediation process should include validating that the patch has been properly applied and that access controls are functioning as intended. Organizations should also consider implementing web application firewalls and monitoring solutions to detect and prevent unauthorized access attempts to Jenkins administrative interfaces.

Reservation

07/01/2015

Disclosure

11/25/2015

Moderation

accepted

Entry

VDB-79318

CPE

ready

EPSS

0.22429

KEV

yes

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!