{"id":"GHSA-3wmv-7php-rhg5","summary":"Jenkins Vulnerable to Cross-Site Request Forgery (CSRF) Attack","details":"Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.","aliases":["CVE-2015-5318"],"modified":"2025-03-13T18:40:19.783974Z","published":"2022-05-13T01:30:06Z","database_specific":{"nvd_published_at":"2015-11-25T20:59:00Z","github_reviewed_at":"2025-03-13T17:52:47Z","severity":"LOW","github_reviewed":true,"cwe_ids":["CWE-352"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5318"},{"type":"WEB","url":"https://github.com/jenkinsci/jenkins/commit/f53802bb82a25b295b6dfa3bf2a591a6c8552183"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2016:0070"},{"type":"PACKAGE","url":"https://github.com/jenkinsci/jenkins"},{"type":"WEB","url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11"},{"type":"WEB","url":"http://rhn.redhat.com/errata/RHSA-2016-0489.html"}],"affected":[{"package":{"name":"org.jenkins-ci.main:jenkins-core","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.625.2"}]}],"versions":["1.396","1.397","1.398","1.399","1.400","1.401","1.403","1.404","1.405","1.406","1.407","1.408","1.409","1.409.1","1.409.2","1.409.3","1.410","1.411","1.412","1.413","1.414","1.415","1.416","1.417","1.418","1.419","1.420","1.421","1.422","1.423","1.424","1.424.1","1.424.2","1.424.3","1.424.4","1.424.5","1.424.6","1.425","1.426","1.427","1.428","1.429","1.430","1.431","1.432","1.433","1.434","1.435","1.436","1.437","1.438","1.439","1.440","1.441","1.442","1.443","1.444","1.445","1.446","1.447","1.447.1","1.447.2","1.448","1.449","1.450","1.451","1.452","1.453","1.454","1.455","1.456","1.457","1.458","1.459","1.460","1.461","1.462","1.463","1.464","1.465","1.466","1.466.1","1.466.2","1.467","1.468","1.469","1.470","1.471","1.472","1.473","1.474","1.475","1.476","1.477","1.478","1.479","1.480","1.480.1","1.480.2","1.480.3","1.481","1.482","1.483","1.484","1.485","1.486","1.487","1.488","1.489","1.490","1.491","1.492","1.493","1.494","1.495","1.496","1.497","1.498","1.499","1.500","1.501","1.502","1.503","1.504","1.505","1.506","1.507","1.508","1.509","1.509.1","1.509.2","1.509.2.JENKINS-14362-jzlib","1.509.2.JENKINS-8856-diag","1.509.3","1.509.3.JENKINS-14362-jzlib","1.509.4","1.510","1.511","1.512","1.513","1.514","1.515","1.516","1.516.JENKINS-14362-jzlib","1.517","1.518","1.518.JENKINS-14362-jzlib","1.519","1.520","1.521","1.522","1.523","1.524","1.525","1.526","1.527","1.528","1.529","1.530","1.531","1.532","1.532.1","1.532.1.JENKINS-19453","1.532.2","1.532.2.JENKINS-21622-diag","1.532.2.JENKINS-22395-diag","1.532.3","1.532.3.JENKINS-22395","1.532.3.JENKINS-22395-2","1.533","1.534","1.535","1.536","1.537","1.538","1.539","1.540","1.541","1.542","1.543","1.544","1.545","1.546","1.547","1.548","1.549","1.550","1.551","1.552","1.553","1.554","1.554.1","1.554.2","1.554.3","1.554.3.JENKINS-18065-ALLRM-all","1.554.3.JENKINS-18065-JENKINS-23945","1.555","1.556","1.557","1.558","1.559","1.560","1.561","1.562","1.563","1.564","1.565","1.565.1","1.565.1.JENKINS-22395-dropLinks","1.565.2","1.565.3","1.566","1.567","1.568","1.569","1.570","1.571","1.572","1.573","1.574","1.575","1.576","1.577","1.578","1.579","1.580","1.580.1","1.580.2","1.580.3","1.581","1.582","1.583","1.584","1.585","1.586","1.587","1.588","1.589","1.590","1.591","1.592","1.593","1.594","1.595","1.596","1.596.1","1.596.2","1.596.3","1.597","1.598","1.599","1.600","1.601","1.602","1.604","1.605","1.606","1.607","1.608","1.609","1.609.1","1.609.2","1.609.3","1.610","1.611","1.612","1.613","1.614","1.615","1.616","1.617","1.618","1.619","1.620","1.621","1.622","1.623","1.624","1.625","1.625.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3wmv-7php-rhg5/GHSA-3wmv-7php-rhg5.json"}},{"package":{"name":"org.jenkins-ci.main:jenkins-core","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.626"},{"fixed":"1.638"}]}],"versions":["1.626","1.627","1.628","1.629","1.630","1.631","1.632","1.633","1.634","1.635","1.636","1.637"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3wmv-7php-rhg5/GHSA-3wmv-7php-rhg5.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}]}