Moderate severityNVD Advisory· Published Oct 16, 2014· Updated May 6, 2026

CVE-2014-3667

Description

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	>= 1.566, < 1.583	1.583
org.jenkins-ci.main:jenkins-coreMaven	< 1.565.3	1.565.3

Affected products

Jenkins Project/Jenkins2 versions
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.582
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.565.2
Red Hat/Openshift
cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*
Range: <=3.1

Patches

f0a29b562e14

[FIXED SECURITY-155] Do not allow plugin code to be downloaded via doDynamic, only static resources.

https://github.com/jenkinsci/jenkinsJesse GlickAug 22, 2014via ghsa

commit

2 files changed · +8 −0

core/src/main/java/hudson/Plugin.java+5 −0 modified

@@ -42,6 +42,7 @@
 import com.thoughtworks.xstream.XStream;
 import java.net.URI;
 import java.net.URISyntaxException;
+import org.kohsuke.stapler.HttpResponses;
 
 /**
  * Base class of Hudson plugin.
@@ -200,6 +201,10 @@ public void configure(StaplerRequest req, JSONObject formData) throws IOExceptio
     public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
         String path = req.getRestOfPath();
 
+        if (path.startsWith("/META-INF/") || path.startsWith("/WEB-INF/")) {
+            throw HttpResponses.notFound();
+        }
+
         if(path.length()==0)
             path = "/";

test/src/test/java/hudson/PluginTest.java+3 −0 modified

@@ -42,6 +42,9 @@ public class PluginTest {
         r.createWebClient().assertFails("plugin/credentials/images/%2E%2E/images/24x24/credentials.png", HttpServletResponse.SC_INTERNAL_SERVER_ERROR); // IAE from TokenList.<init>
         r.createWebClient().assertFails("plugin/credentials/images/%252E%252E/images/24x24/credentials.png", HttpServletResponse.SC_NOT_FOUND); // SECURITY-131
         r.createWebClient().assertFails("plugin/credentials/images/%25252E%25252E/images/24x24/credentials.png", HttpServletResponse.SC_NOT_FOUND); // just checking
+        // SECURITY-155:
+        r.createWebClient().assertFails("plugin/credentials/WEB-INF/licenses.xml", HttpServletResponse.SC_NOT_FOUND);
+        r.createWebClient().assertFails("plugin/credentials/META-INF/MANIFEST.MF", HttpServletResponse.SC_NOT_FOUND);
     }
 
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5xm3-48v5-6h7vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-3667ghsaADVISORY
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01nvdVendor AdvisoryWEB
access.redhat.com/errata/RHBA-2014:1630ghsaWEB
access.redhat.com/errata/RHSA-2016:0070nvdWEB
access.redhat.com/security/cve/CVE-2014-3667ghsaWEB
bugzilla.redhat.com/show_bug.cgighsaWEB
github.com/jenkinsci/jenkins/commit/f0a29b562e14d837912c6b35fa4e81478563813aghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000