Maven package
org.jenkins-ci.main/jenkins-core
pkg:maven/org.jenkins-ci.main/jenkins-core
Vulnerabilities (249)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33002 | — | >= 2.442, < 2.555 | 2.555 | Mar 18, 2026 | Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, m | ||
| CVE-2026-33001 | — | < 2.555 | 2.555 | Mar 18, 2026 | Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the | ||
| CVE-2026-27100 | — | >= 2.542, < 2.551 | 2.551 | Feb 18, 2026 | Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis | ||
| CVE-2026-27099 | — | >= 2.542, < 2.551 | 2.551 | Feb 18, 2026 | Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A | ||
| CVE-2025-67639 | — | >= 2.529, < 2.541 | 2.541 | Dec 10, 2025 | A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account. | ||
| CVE-2025-67638 | — | >= 2.529, < 2.541 | 2.541 | Dec 10, 2025 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | ||
| CVE-2025-67637 | — | >= 2.529, < 2.541 | 2.541 | Dec 10, 2025 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | ||
| CVE-2025-67636 | — | >= 2.529, < 2.541 | 2.541 | Dec 10, 2025 | A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views. | ||
| CVE-2025-67635 | — | >= 2.529, < 2.541 | 2.541 | Dec 10, 2025 | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service. | ||
| CVE-2025-59476 | — | < 2.516.3 | 2.516.3 | Sep 17, 2025 | Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa | ||
| CVE-2025-59475 | — | < 2.516.3 | 2.516.3 | Sep 17, 2025 | Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i | ||
| CVE-2025-59474 | — | < 2.516.3 | 2.516.3 | Sep 17, 2025 | Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut | ||
| CVE-2025-31721 | — | >= 2.500, < 2.504 | 2.504 | Apr 2, 2025 | A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. | ||
| CVE-2025-31720 | — | >= 2.500, < 2.504 | 2.504 | Apr 2, 2025 | A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration. | ||
| CVE-2025-27625 | — | < 2.492.2 | 2.492.2 | Mar 5, 2025 | In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site, because browsers interpret | ||
| CVE-2025-27624 | — | >= 2.493, < 2.500 | 2.500 | Mar 5, 2025 | A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets). | ||
| CVE-2025-27623 | — | < 2.492.2 | 2.492.2 | Mar 5, 2025 | Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets. | ||
| CVE-2025-27622 | — | >= 2.493, < 2.500 | 2.500 | Mar 5, 2025 | Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets. | ||
| CVE-2024-47804 | — | < 2.462.3 | 2.462.3 | Oct 2, 2024 | If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the | ||
| CVE-2024-47803 | — | < 2.462.3 | 2.462.3 | Oct 2, 2024 | Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field. |
- CVE-2026-33002Mar 18, 2026affected >= 2.442, < 2.555fixed 2.555
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, m
- CVE-2026-33001Mar 18, 2026affected < 2.555fixed 2.555
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the
- CVE-2026-27100Feb 18, 2026affected >= 2.542, < 2.551fixed 2.551
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the exis
- CVE-2026-27099Feb 18, 2026affected >= 2.542, < 2.551fixed 2.551
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with A
- CVE-2025-67639Dec 10, 2025affected >= 2.529, < 2.541fixed 2.541
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account.
- CVE-2025-67638Dec 10, 2025affected >= 2.529, < 2.541fixed 2.541
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
- CVE-2025-67637Dec 10, 2025affected >= 2.529, < 2.541fixed 2.541
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
- CVE-2025-67636Dec 10, 2025affected >= 2.529, < 2.541fixed 2.541
A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views.
- CVE-2025-67635Dec 10, 2025affected >= 2.529, < 2.541fixed 2.541
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service.
- CVE-2025-59476Sep 17, 2025affected < 2.516.3fixed 2.516.3
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messa
- CVE-2025-59475Sep 17, 2025affected < 2.516.3fixed 2.516.3
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu, allowing attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options i
- CVE-2025-59474Sep 17, 2025affected < 2.516.3fixed 2.516.3
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel execut
- CVE-2025-31721Apr 2, 2025affected >= 2.500, < 2.504fixed 2.504
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.
- CVE-2025-31720Apr 2, 2025affected >= 2.500, < 2.504fixed 2.504
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration.
- CVE-2025-27625Mar 5, 2025affected < 2.492.2fixed 2.492.2
In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site, because browsers interpret
- CVE-2025-27624Mar 5, 2025affected >= 2.493, < 2.500fixed 2.500
A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets).
- CVE-2025-27623Mar 5, 2025affected < 2.492.2fixed 2.492.2
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets.
- CVE-2025-27622Mar 5, 2025affected >= 2.493, < 2.500fixed 2.500
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.
- CVE-2024-47804Oct 2, 2024affected < 2.462.3fixed 2.462.3
If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the
- CVE-2024-47803Oct 2, 2024affected < 2.462.3fixed 2.462.3
Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.
Page 1 of 13