apk package
chainguard/jenkins-2.516-openjdk-17
pkg:apk/chainguard/jenkins-2.516-openjdk-17
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27100 | — | < 2.516.3-r4 | 2.516.3-r4 | Feb 18, 2026 | Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis | ||
| CVE-2026-27099 | — | < 2.516.3-r4 | 2.516.3-r4 | Feb 18, 2026 | Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A | ||
| CVE-2025-67635 | — | < 2.516.3-r4 | 2.516.3-r4 | Dec 10, 2025 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service. | ||
| CVE-2025-59476 | — | < 2.516.3-r0 | 2.516.3-r0 | Sep 17, 2025 | Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa | ||
| CVE-2025-59475 | — | < 2.516.3-r0 | 2.516.3-r0 | Sep 17, 2025 | Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i | ||
| CVE-2025-59474 | — | < 2.516.3-r0 | 2.516.3-r0 | Sep 17, 2025 | Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut | ||
| CVE-2025-41249 | Hig | 7.5 | < 2.516.2-r1 | 2.516.2-r1 | Sep 16, 2025 | The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m | |
| CVE-2025-41248 | Hig | 7.5 | < 2.516.2-r1 | 2.516.2-r1 | Sep 16, 2025 | The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a | |
| CVE-2025-5115 | — | < 2.516.2-r0 | 2.516.2-r0 | Aug 20, 2025 | In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th |
- CVE-2026-27100Feb 18, 2026affected < 2.516.3-r4fixed 2.516.3-r4
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis
- CVE-2026-27099Feb 18, 2026affected < 2.516.3-r4fixed 2.516.3-r4
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A
- CVE-2025-67635Dec 10, 2025affected < 2.516.3-r4fixed 2.516.3-r4
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.
- CVE-2025-59476Sep 17, 2025affected < 2.516.3-r0fixed 2.516.3-r0
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa
- CVE-2025-59475Sep 17, 2025affected < 2.516.3-r0fixed 2.516.3-r0
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i
- CVE-2025-59474Sep 17, 2025affected < 2.516.3-r0fixed 2.516.3-r0
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut
- affected < 2.516.2-r1fixed 2.516.2-r1
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m
- affected < 2.516.2-r1fixed 2.516.2-r1
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a
- CVE-2025-5115Aug 20, 2025affected < 2.516.2-r0fixed 2.516.2-r0
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th