VYPR

apk package

chainguard/jenkins-2.541

pkg:apk/chainguard/jenkins-2.541

Vulnerabilities (12)

  • CVE-2026-42779CriMay 1, 2026
    affected < 2.541.3-r7fixed 2.541.3-r7

    The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all

  • CVE-2026-42778CriMay 1, 2026
    affected < 2.541.3-r7fixed 2.541.3-r7

    The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applie

  • CVE-2026-41409CriApr 27, 2026
    affected < 2.541.3-r7fixed 2.541.3-r7

    The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are A

  • CVE-2026-41635CriApr 27, 2026
    affected < 2.541.3-r7fixed 2.541.3-r7

    Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in th

  • CVE-2026-22746LowApr 22, 2026
    affected < 2.541.3-r3fixed 2.541.3-r3

    Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are

  • CVE-2026-22751MedApr 21, 2026
    affected < 2.541.3-r3fixed 2.541.3-r3

    Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 throu

  • CVE-2026-22732CriMar 19, 2026
    affected < 2.541.3-r2fixed 2.541.3-r2

    When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0

  • CVE-2026-33002Mar 18, 2026
    affected < 2.541.3-r2fixed 2.541.3-r2

    Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, m

  • CVE-2026-33001Mar 18, 2026
    affected < 2.541.3-r9fixed 2.541.3-r9

    Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the

  • CVE-2026-1605Mar 5, 2026
    affected < 2.541.2-r2fixed 2.541.2-r2

    In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated

  • CVE-2026-27100Feb 18, 2026
    affected < 2.541.2-r0fixed 2.541.2-r0

    Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis

  • CVE-2026-27099Feb 18, 2026
    affected < 2.541.2-r0fixed 2.541.2-r0

    Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A