Jenkins does not Verify Checksums for Plugin Files

GHSA-x274-9m9r-fm5g · CVE-2015-7539

Published May 13, 2022 · Modified Mar 13, 2025

Description

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-7539
WEB https://github.com/jenkinsci/jenkins/commit/11479a2cc0a322a6bcd7e65667f3d24aa4d444bb
WEB https://github.com/jenkinsci/jenkins/commit/97adb71aa4509f91e408a16ba312e817ec015cf4
WEB https://github.com/jenkinsci/jenkins/commit/9ec88357a354d8354728cc06e2b8c8b68aee58bf
WEB https://github.com/jenkinsci/jenkins/commit/c158648afa8888bc49ac337c973d4e4bc050118e
WEB https://github.com/jenkinsci/jenkins/commit/f99cb46e06f394637067730a82f46bddc3567295
WEB https://access.redhat.com/errata/RHSA-2016:0070
PACKAGE https://github.com/jenkinsci/jenkins
WEB https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09
WEB http://rhn.redhat.com/errata/RHSA-2016-0489.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes