CVE-2015-5317

What Is Jenkins?

Jenkins is the most widely deployed open-source automation server, used by organizations worldwide for continuous integration and continuous delivery (CI/CD) pipelines. Jenkins orchestrates build processes, automated testing, artifact production, and deployment workflows — making it a high-value target for attackers seeking to compromise software supply chains, inject malicious code into build artifacts, steal source code, or gain access to deployment credentials and secrets.

Jenkins instances frequently have access to source code repositories, package registries, cloud provider credentials, signing keys, and production deployment systems — a privileged position in an organization's infrastructure.

Overview

CVE-2015-5317 is an information disclosure vulnerability in Jenkins' web UI that allows unauthenticated or unauthorized users to view the names of jobs and builds they would otherwise not have permission to see, via the Jenkins "Fingerprints" pages. Fingerprints in Jenkins track which build produced a specific file (by MD5 hash) — the fingerprint pages expose job and build metadata without enforcing the access control permissions that protect the jobs themselves. Fixed in Jenkins 1.638 (November 11, 2015). CISA added CVE-2015-5317 to the KEV catalog in May 2023 — notably later than the 2021–2022 wave — confirming continued exploitation against legacy Jenkins installations.

Affected Versions

Technical Details

Root Cause: Missing Access Control on Fingerprint Pages

Jenkins tracks file provenance using fingerprints — MD5 hashes of build artifacts that link a specific file to the build job that produced it. The /fingerprint/ URL path allows users to look up a file hash and see which job and build created it.

CVE-2015-5317 exists because the fingerprint lookup pages do not enforce the access control permissions that protect the underlying jobs. In a Jenkins instance with access control enabled, users are normally prevented from seeing jobs they lack permission to view. However, the fingerprint pages display job names, build numbers, and related metadata without checking whether the requesting user has Job/Read permission for those jobs.

This allows any user — or in some configurations, unauthenticated users if the Jenkins anonymous read permission is enabled — to enumerate:

• Job names — the names of all CI/CD pipelines defined in the Jenkins instance
• Build numbers — which builds have run and their numbering
• File-to-build associations — which build artifact corresponds to which job

Reconnaissance Value

While CVE-2015-5317 does not enable code execution or credential theft directly, the disclosed information has significant reconnaissance value in an attack chain:

• Job name enumeration reveals the structure and scope of an organization's development pipeline (e.g., "payment-service-deploy-prod", "customer-data-export", "signing-key-update")
• Build metadata can indicate release schedules, deployment frequency, and which jobs are active
• Follow-on targeting — attackers use enumerated job names to identify high-value targets for credential theft, supply chain injection, or social engineering

Attack Characteristics

Discovery

Disclosed by the Jenkins security team in the November 11, 2015 security advisory and fixed in Jenkins 1.638.

Exploitation Context

• CI/CD pipeline reconnaissance: Attackers conducting supply chain attacks against software organizations use Jenkins vulnerability chains starting with information disclosure (CVE-2015-5317) to identify targets, then escalating through additional Jenkins vulnerabilities to gain execution and inject malicious code into build artifacts
• Long exploitation tail: CISA's addition of CVE-2015-5317 to the KEV catalog in May 2023 — over seven years after disclosure — confirms that attackers continue to probe legacy Jenkins installations that have not been updated since 2015; Jenkins instances in some organizations are treated as infrastructure that "just works" and rarely receive security updates
• Jenkins as a supply chain entry point: Compromising a Jenkins instance provides access to source code, artifact signing keys, and deployment credentials; Jenkins vulnerabilities are therefore highly attractive to supply chain threat actors
• CISA KEV (2023): Added May 2023

Remediation

1. Update Jenkins — upgrade to Jenkins 1.638 / LTS 1.625.2 or a later release. Any current Jenkins LTS version is patched against CVE-2015-5317 and all subsequent Jenkins security advisories.

2. Disable anonymous access — ensure the Jenkins global security configuration does not grant Anonymous users read access. Require authentication for all Jenkins access.

3. Restrict network access — Jenkins management interfaces should not be publicly accessible. Place Jenkins behind a VPN or network-layer access controls limiting access to authorized users and build agents only.

4. Audit job name sensitivity — review Jenkins job names to ensure they do not expose sensitive information (system names, environment names, security function names) that would provide meaningful reconnaissance to an attacker who sees them.

5. Enable matrix-based security — use Jenkins' matrix-based or project-based authorization to enforce least-privilege access controls on individual jobs and pipelines.