VYPR

apk package

chainguard/jenkins-2.516-openjdk-17

pkg:apk/chainguard/jenkins-2.516-openjdk-17

Vulnerabilities (9)

  • CVE-2026-27100Feb 18, 2026
    affected < 2.516.3-r4fixed 2.516.3-r4

    Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis

  • CVE-2026-27099Feb 18, 2026
    affected < 2.516.3-r4fixed 2.516.3-r4

    Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A

  • CVE-2025-67635Dec 10, 2025
    affected < 2.516.3-r4fixed 2.516.3-r4

    Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.

  • CVE-2025-59476Sep 17, 2025
    affected < 2.516.3-r0fixed 2.516.3-r0

    Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa

  • CVE-2025-59475Sep 17, 2025
    affected < 2.516.3-r0fixed 2.516.3-r0

    Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i

  • CVE-2025-59474Sep 17, 2025
    affected < 2.516.3-r0fixed 2.516.3-r0

    Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut

  • CVE-2025-41249HigSep 16, 2025
    affected < 2.516.2-r1fixed 2.516.2-r1

    The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m

  • CVE-2025-41248HigSep 16, 2025
    affected < 2.516.2-r1fixed 2.516.2-r1

    The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a

  • CVE-2025-5115Aug 20, 2025
    affected < 2.516.2-r0fixed 2.516.2-r0

    In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th