Low severityNVD Advisory· Published Nov 25, 2015· Updated May 6, 2026

CVE-2015-5318

Description

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	< 1.625.2	1.625.2
org.jenkins-ci.main:jenkins-coreMaven	>= 1.626, < 1.638	1.638

Affected products

Jenkins/Jenkins2 versions
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.637
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.625.1
Red Hat/Openshift2 versions
cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*+ 1 more
- cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*range: <=3.1
- cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*

Patches

f53802bb82a2

[SECURITY-169] - Convert crumb issuer salt to the confidential key

https://github.com/jenkinsci/jenkinsOleg NenashevSep 7, 2015via ghsa

commit

1 file changed · +4 −2

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java+4 −2 modified

@@ -17,6 +17,7 @@
 
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServletRequest;
+import jenkins.security.HexStringConfidentialKey;
 
 import net.sf.json.JSONObject;
 
@@ -117,9 +118,10 @@ private String getClientIP(HttpServletRequest req) {
     @Extension
     public static final class DescriptorImpl extends CrumbIssuerDescriptor<DefaultCrumbIssuer> implements ModelObject {
 
+        private final static HexStringConfidentialKey CRUMB_SALT = new HexStringConfidentialKey(Jenkins.class,"crumbSalt",16);
+        
         public DescriptorImpl() {
-            // salt just needs to be unique, and it doesn't have to be a secret
-            super(Jenkins.getInstance().getLegacyInstanceId(), System.getProperty("hudson.security.csrf.requestfield", ".crumb"));
+            super(CRUMB_SALT.get(), System.getProperty("hudson.security.csrf.requestfield", ".crumb"));
             load();
         }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3wmv-7php-rhg5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-5318ghsaADVISORY
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11nvdVendor AdvisoryWEB
rhn.redhat.com/errata/RHSA-2016-0489.htmlnvdWEB
access.redhat.com/errata/RHSA-2016:0070nvdWEB
github.com/jenkinsci/jenkins/commit/f53802bb82a25b295b6dfa3bf2a591a6c8552183ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000