CVE-2015-1806: Jenkins allows for Privilege Escalation by Remote Authenticated Users

May 17, 2022 (updated March 13, 2025)

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

References

access.redhat.com/errata/RHSA-2016:0070
bugzilla.redhat.com/show_bug.cgi?id=1205620
github.com/advisories/GHSA-mm9c-4cv4-7rfv
github.com/jenkinsci/jenkins
nvd.nist.gov/vuln/detail/CVE-2015-1806
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27

Code Behaviors & Features

Detect and mitigate CVE-2015-1806 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →