apk package
chainguard/jenkins-2
pkg:apk/chainguard/jenkins-2
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59476 | — | < 2.528-r0 | 2.528-r0 | Sep 17, 2025 | Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa | ||
| CVE-2025-59475 | — | < 2.528-r0 | 2.528-r0 | Sep 17, 2025 | Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i | ||
| CVE-2025-59474 | — | < 2.528-r0 | 2.528-r0 | Sep 17, 2025 | Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut | ||
| CVE-2025-41249 | Hig | 7.5 | < 2.528-r0 | 2.528-r0 | Sep 16, 2025 | The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m | |
| CVE-2025-41248 | Hig | 7.5 | < 2.528-r0 | 2.528-r0 | Sep 16, 2025 | The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a | |
| CVE-2025-5115 | — | < 2.524-r0 | 2.524-r0 | Aug 20, 2025 | In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th | ||
| CVE-2024-9453 | — | < 0 | 0 | Jul 4, 2025 | A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the | ||
| CVE-2025-48976 | — | < 2.515-r0 | 2.515-r0 | Jun 16, 2025 | Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or | ||
| CVE-2025-41234 | Med | 6.5 | < 2.515-r0 | 2.515-r0 | Jun 12, 2025 | Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-s | |
| CVE-2025-48734 | — | < 2.512-r1 | 2.512-r1 | May 28, 2025 | Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no | ||
| CVE-2024-52046 | — | < 2.491-r2 | 2.491-r2 | Dec 25, 2024 | The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially craf |
- CVE-2025-59476Sep 17, 2025affected < 2.528-r0fixed 2.528-r0
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa
- CVE-2025-59475Sep 17, 2025affected < 2.528-r0fixed 2.528-r0
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i
- CVE-2025-59474Sep 17, 2025affected < 2.528-r0fixed 2.528-r0
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut
- affected < 2.528-r0fixed 2.528-r0
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m
- affected < 2.528-r0fixed 2.528-r0
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a
- CVE-2025-5115Aug 20, 2025affected < 2.524-r0fixed 2.524-r0
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th
- CVE-2024-9453Jul 4, 2025affected < 0fixed 0
A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the
- CVE-2025-48976Jun 16, 2025affected < 2.515-r0fixed 2.515-r0
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or
- affected < 2.515-r0fixed 2.515-r0
Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-s
- CVE-2025-48734May 28, 2025affected < 2.512-r1fixed 2.512-r1
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
- CVE-2024-52046Dec 25, 2024affected < 2.491-r2fixed 2.491-r2
The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially craf