CVE-2015-5322: Jenkins has Local File Inclusion Vulnerability
5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.45787%
CWE
Published
5/13/2022
Updated
3/13/2025
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.main:jenkins-core | maven | >= 1.626, < 1.638 | 1.638 |
org.jenkins-ci.main:jenkins-core | maven | < 1.625.2 | 1.625.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper path validation in jnlpJars
requests. The commit diff shows a security check for '..' was added to JnlpJarURLConnection.getURL()
in Slave.java
. Prior to this patch, the function would naively concatenate user-controlled 'fileName' with '/WEB-INF/' without validation, enabling path traversal. The added check explicitly prevents directory traversal, confirming this was the vulnerable code path.