VYPR

Bitnami package

jenkins

pkg:bitnami/jenkins

Vulnerabilities (110)

  • CVE-2026-53442MedJun 10, 2026
    affected < 2.555.3fixed 2.555.3

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permissio

  • CVE-2026-53441MedJun 10, 2026
    affected >= 2.483.0, < 2.555.3fixed 2.555.3

    Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability

  • CVE-2026-53440MedJun 10, 2026
    affected < 2.555.3fixed 2.555.3

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled dom

  • CVE-2026-53439MedJun 10, 2026
    affected < 2.555.3fixed 2.555.3

    Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".

  • CVE-2026-53438MedJun 10, 2026
    affected < 2.555.3fixed 2.555.3

    A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.

  • CVE-2026-53437MedJun 10, 2026
    affected < 2.555.3fixed 2.555.3

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.

  • CVE-2026-53436MedJun 10, 2026
    affected < 2.555.3fixed 2.555.3

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.

  • CVE-2026-53435HigJun 10, 2026
    affected < 2.555.3fixed 2.555.3

    In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. Thi

  • CVE-2026-33002Mar 18, 2026
    affected >= 2.426.3, < 2.541.3fixed 2.541.3

    Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, m

  • CVE-2026-33001Mar 18, 2026
    affected < 2.541.3fixed 2.541.3

    Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the

  • CVE-2026-27100Feb 18, 2026
    affected >= 2.483.0, < 2.541.2fixed 2.541.2

    Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis

  • CVE-2026-27099Feb 18, 2026
    affected >= 2.483.0, < 2.541.2fixed 2.541.2

    Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A

  • CVE-2025-67639Dec 10, 2025
    affected < 2.528.3fixed 2.528.3

    A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account.

  • CVE-2025-67638Dec 10, 2025
    affected < 2.528.3fixed 2.528.3

    Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-67637Dec 10, 2025
    affected < 2.528.3fixed 2.528.3

    Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-67636Dec 10, 2025
    affected < 2.528.3fixed 2.528.3

    A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views.

  • CVE-2025-67635Dec 10, 2025
    affected < 2.528.3fixed 2.528.3

    Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.

  • CVE-2025-59476MedSep 17, 2025
    affected < 2.516.3fixed 2.516.3

    Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa

  • CVE-2025-59475MedSep 17, 2025
    affected < 2.516.3fixed 2.516.3

    Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i

  • CVE-2025-59474MedSep 17, 2025
    affected < 2.516.3fixed 2.516.3

    Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut

Page 1 of 6