VYPR

apk package

chainguard/jenkins-2.555

pkg:apk/chainguard/jenkins-2.555

Vulnerabilities (14)

  • CVE-2026-53442MedJun 10, 2026
    affected < 2.555.3-r0fixed 2.555.3-r0

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permissio

  • CVE-2026-53440MedJun 10, 2026
    affected < 2.555.3-r0fixed 2.555.3-r0

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled dom

  • CVE-2026-53439MedJun 10, 2026
    affected < 2.555.3-r0fixed 2.555.3-r0

    Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".

  • CVE-2026-53438MedJun 10, 2026
    affected < 2.555.3-r0fixed 2.555.3-r0

    A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.

  • CVE-2026-53437MedJun 10, 2026
    affected < 2.555.3-r0fixed 2.555.3-r0

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.

  • CVE-2026-53436MedJun 10, 2026
    affected < 2.555.3-r0fixed 2.555.3-r0

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.

  • CVE-2026-53435HigJun 10, 2026
    affected < 2.555.3-r0fixed 2.555.3-r0

    In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. Thi

  • CVE-2026-42521MedApr 29, 2026
    affected < 2.555.2-r0fixed 2.555.2-r0

    Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers

  • CVE-2026-42519MedApr 29, 2026
    affected < 2.555.2-r0fixed 2.555.2-r0

    A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths.

  • CVE-2026-41409CriApr 27, 2026
    affected < 2.555.2-r1fixed 2.555.2-r1

    The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are A

  • CVE-2026-5598HigApr 15, 2026
    affected < 2.555.2-r3fixed 2.555.2-r3

    Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.

  • CVE-2026-5588MedApr 15, 2026
    affected < 2.555.2-r3fixed 2.555.2-r3

    Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modul

  • CVE-2026-0636MedApr 15, 2026
    affected < 2.555.2-r3fixed 2.555.2-r3

    Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from

  • CVE-2026-2332HigApr 14, 2026
    affected < 2.555.2-r3fixed 2.555.2-r3

    In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty term