High severity8.8NVD Advisory· Published Feb 3, 2016· Updated May 6, 2026
CVE-2015-7538
CVE-2015-7538
Description
Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | >= 1.626, < 1.640 | 1.640 |
org.jenkins-ci.main:jenkins-coreMaven | < 1.625.2 | 1.625.2 |
Affected products
4Patches
2ba747888108d[SECURITY-233] Only append crumb to URL in multipart forms
1 file changed · +7 −4
war/src/main/webapp/scripts/hudson-behavior.js+7 −4 modified@@ -117,10 +117,12 @@ var crumb = { var div = document.createElement("div"); div.innerHTML = "<input type=hidden name='"+this.fieldName+"' value='"+this.value+"'>"; form.appendChild(div); - if (form.action.indexOf("?") != -1) { - form.action = form.action+"&"+this.fieldName+"="+this.value; - } else { - form.action = form.action+"?"+this.fieldName+"="+this.value; + if (form.enctype == "multipart/form-data") { + if (form.action.indexOf("?") != -1) { + form.action = form.action+"&"+this.fieldName+"="+this.value; + } else { + form.action = form.action+"?"+this.fieldName+"="+this.value; + } } } } @@ -2424,6 +2426,7 @@ function buildFormTree(form) { // switch to multipart/form-data to support file submission // @enctype is the standard, but IE needs @encoding. form.enctype = form.encoding = "multipart/form-data"; + crumb.appendToForm(form); break; case "radio": if(!e.checked) break;
ef2c0dc16369[FIX SECURITY-233] Remove multipart form exception from crumb filter
2 files changed · +7 −2
core/src/main/java/hudson/security/csrf/CrumbFilter.java+2 −2 modified@@ -80,8 +80,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha LOGGER.log(Level.WARNING, "Found invalid crumb {0}. Will check remaining parameters for a valid one...", crumb); } } - // Multipart requests need to be handled by each handler. - if (valid || isMultipart(httpRequest)) { + + if (valid) { chain.doFilter(request, response); } else { LOGGER.log(Level.WARNING, "No valid crumb was included in request for {0}. Returning {1}.", new Object[] {httpRequest.getRequestURI(), HttpServletResponse.SC_FORBIDDEN});
war/src/main/webapp/scripts/hudson-behavior.js+5 −0 modified@@ -117,6 +117,11 @@ var crumb = { var div = document.createElement("div"); div.innerHTML = "<input type=hidden name='"+this.fieldName+"' value='"+this.value+"'>"; form.appendChild(div); + if (form.action.indexOf("?") != -1) { + form.action = form.action+"&"+this.fieldName+"="+this.value; + } else { + form.action = form.action+"?"+this.fieldName+"="+this.value; + } } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-w7qm-fprw-cqgqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-7538ghsaADVISORY
- wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09nvdVendor AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2016-0489.htmlnvdWEB
- access.redhat.com/errata/RHSA-2016:0070nvdWEB
- github.com/jenkinsci/jenkins/commit/ba747888108d0db90d469c6d210b1df465d8fac1ghsaWEB
- github.com/jenkinsci/jenkins/commit/ef2c0dc163695af3a57ad7a45571293377ff679bghsaWEB
News mentions
0No linked articles in our index yet.