VYPR

apk package

chainguard/jenkins-2.541-openjdk-17

pkg:apk/chainguard/jenkins-2.541-openjdk-17

Vulnerabilities (12)

  • CVE-2026-42779CriMay 1, 2026
    affected < 2.541.3-r7fixed 2.541.3-r7

    The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all

  • CVE-2026-42778CriMay 1, 2026
    affected < 2.541.3-r7fixed 2.541.3-r7

    The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applie

  • CVE-2026-42521MedApr 29, 2026
    affected < 2.541.3-r8fixed 2.541.3-r8

    Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers

  • CVE-2026-42519MedApr 29, 2026
    affected < 2.541.3-r8fixed 2.541.3-r8

    A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths.

  • CVE-2026-41409CriApr 27, 2026
    affected < 2.541.3-r7fixed 2.541.3-r7

    The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are A

  • CVE-2026-41635CriApr 27, 2026
    affected < 2.541.3-r7fixed 2.541.3-r7

    Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in th

  • CVE-2026-22746LowApr 22, 2026
    affected < 2.541.3-r3fixed 2.541.3-r3

    Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are

  • CVE-2026-22751MedApr 21, 2026
    affected < 2.541.3-r3fixed 2.541.3-r3

    Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 throu

  • CVE-2026-22732CriMar 19, 2026
    affected < 2.541.3-r2fixed 2.541.3-r2

    When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0

  • CVE-2026-1605Mar 5, 2026
    affected < 2.541.2-r2fixed 2.541.2-r2

    In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated

  • CVE-2026-27100Feb 18, 2026
    affected < 2.541.2-r0fixed 2.541.2-r0

    Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis

  • CVE-2026-27099Feb 18, 2026
    affected < 2.541.2-r0fixed 2.541.2-r0

    Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A