apk package

chainguard/jenkins-2.516

pkg:apk/chainguard/jenkins-2.516

Vulnerabilities (12)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-33002		—	< 2.516.3-r4	2.516.3-r4	Mar 18, 2026	Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, m
CVE-2026-33001		—	< 2.516.3-r4	2.516.3-r4	Mar 18, 2026	Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the
CVE-2026-27100		—	< 2.516.3-r4	2.516.3-r4	Feb 18, 2026	Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis
CVE-2026-27099		—	< 2.516.3-r4	2.516.3-r4	Feb 18, 2026	Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A
CVE-2025-67635		—	< 2.516.3-r4	2.516.3-r4	Dec 10, 2025	Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.
CVE-2025-59476		—	< 2.516.3-r0	2.516.3-r0	Sep 17, 2025	Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa
CVE-2025-59475		—	< 2.516.3-r0	2.516.3-r0	Sep 17, 2025	Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i
CVE-2025-59474		—	< 2.516.3-r0	2.516.3-r0	Sep 17, 2025	Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut
CVE-2025-41249	Hig	7.5	< 2.516.2-r1	2.516.2-r1	Sep 16, 2025	The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m
CVE-2025-41248	Hig	7.5	< 2.516.2-r1	2.516.2-r1	Sep 16, 2025	The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a
CVE-2025-5115		—	< 2.516.2-r0	2.516.2-r0	Aug 20, 2025	In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th
CVE-2024-9453		—	< 0	0	Jul 4, 2025	A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the

CVE-2026-33002Mar 18, 2026
affected < 2.516.3-r4fixed 2.516.3-r4
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, m
CVE-2026-33001Mar 18, 2026
affected < 2.516.3-r4fixed 2.516.3-r4
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the
CVE-2026-27100Feb 18, 2026
affected < 2.516.3-r4fixed 2.516.3-r4
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis
CVE-2026-27099Feb 18, 2026
affected < 2.516.3-r4fixed 2.516.3-r4
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A
CVE-2025-67635Dec 10, 2025
affected < 2.516.3-r4fixed 2.516.3-r4
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.
CVE-2025-59476Sep 17, 2025
affected < 2.516.3-r0fixed 2.516.3-r0
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa
CVE-2025-59475Sep 17, 2025
affected < 2.516.3-r0fixed 2.516.3-r0
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i
CVE-2025-59474Sep 17, 2025
affected < 2.516.3-r0fixed 2.516.3-r0
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut
CVE-2025-41249HigSep 16, 2025
affected < 2.516.2-r1fixed 2.516.2-r1
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m
CVE-2025-41248HigSep 16, 2025
affected < 2.516.2-r1fixed 2.516.2-r1
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a
CVE-2025-5115Aug 20, 2025
affected < 2.516.2-r0fixed 2.516.2-r0
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th
CVE-2024-9453Jul 4, 2025
affected < 0fixed 0
A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the