Moderate severityNVD Advisory· Published Nov 25, 2015· Updated May 6, 2026

CVE-2015-5325

Description

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	< 1.625.2	1.625.2
org.jenkins-ci.main:jenkins-coreMaven	>= 1.626, < 1.638	1.638

Affected products

Red Hat/Openshift2 versions
cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*+ 1 more
- cpe:2.3:a:redhat:openshift:*:*:*:*:enterprise:*:*:*range: <=3.1
- cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*
Jenkins/Jenkins2 versions
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*+ 1 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.625.1
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.637

Patches

054a329c5917

[SECURITY-206] Need to call ChannelConfigurator on JNLP slave channels.

https://github.com/jenkinsci/jenkinsJesse GlickNov 4, 2015via ghsa

commit

2 files changed · +31 −0

core/src/main/java/jenkins/slaves/JnlpSlaveAgentProtocol.java+5 −0 modified

@@ -9,6 +9,7 @@
 import hudson.slaves.SlaveComputer;
 import jenkins.AgentProtocol;
 import jenkins.model.Jenkins;
+import jenkins.security.ChannelConfigurator;
 import jenkins.security.HMACConfidentialKey;
 import org.jenkinsci.remoting.nio.NioChannelHub;
 
@@ -117,6 +118,10 @@ protected Channel jnlpConnect(SlaveComputer computer) throws InterruptedExceptio
             try {
                 ChannelBuilder cb = createChannelBuilder(nodeName);
 
+                for (ChannelConfigurator cc : ChannelConfigurator.all()) {
+                    cc.onChannelBuilding(cb, computer);
+                }
+
                 computer.setChannel(cb.withHeaderStream(log).build(socket), log,
                     new Listener() {
                         @Override

test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java+26 −0 modified

@@ -26,13 +26,17 @@
 import com.gargoylesoftware.htmlunit.Page;
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import com.gargoylesoftware.htmlunit.xml.XmlPage;
+import hudson.cli.util.ScriptLoader;
 import hudson.model.Node.Mode;
 import hudson.model.Slave;
+import hudson.remoting.Channel;
 import hudson.remoting.Launcher;
 import hudson.remoting.Which;
 import hudson.slaves.JNLPLauncher;
 import hudson.slaves.RetentionStrategy;
 import hudson.slaves.DumbSlave;
+import jenkins.security.MasterToSlaveCallable;
+import jenkins.security.s2m.AdminWhitelistRule;
 import org.dom4j.Document;
 import org.dom4j.Element;
 import org.dom4j.io.DOMReader;
@@ -41,6 +45,7 @@
 import org.jvnet.hudson.test.recipes.PresetData;
 import org.jvnet.hudson.test.recipes.PresetData.DataSet;
 
+import java.io.File;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.util.Collections;
@@ -112,6 +117,16 @@ public void testServiceUsingDirectSecret() throws Exception {
             for (int i = 0; i < /* one minute */600; i++) {
                 if (slave.getComputer().isOnline()) {
                     System.err.println("JNLP slave successfully connected");
+                    Channel channel = slave.getComputer().getChannel();
+                    assertFalse("SECURITY-206", channel.isRemoteClassLoadingAllowed());
+                    jenkins.getExtensionList(AdminWhitelistRule.class).get(AdminWhitelistRule.class).setMasterKillSwitch(false);
+                    final File f = new File(jenkins.getRootDir(), "secrets/master.key"); // DefaultConfidentialStore
+                    assertTrue(f.exists());
+                    try {
+                        fail("SECURITY-206: " + channel.call(new Attack(f.getAbsolutePath())));
+                    } catch (SecurityException x) {
+                        System.out.println("expected: " + x);
+                    }
                     return;
                 }
                 Thread.sleep(100);
@@ -122,4 +137,15 @@ public void testServiceUsingDirectSecret() throws Exception {
         }
     }
 
+    private static class Attack extends MasterToSlaveCallable<String,Exception> {
+        private final String path;
+        Attack(String path) {
+            this.path = path;
+        }
+        @Override
+        public String call() throws Exception {
+            return Channel.current().call(new ScriptLoader(path));
+        }
+    }
+
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-x2q2-8pwq-fr5rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-5325ghsaADVISORY
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11nvdVendor AdvisoryWEB
rhn.redhat.com/errata/RHSA-2016-0489.htmlnvdWEB
access.redhat.com/errata/RHSA-2016:0070nvdWEB
github.com/jenkinsci/jenkins/commit/054a329c59171ca12ff98f7063ce7fd053ee08bfghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000