Vulnerability-Lookup

RHSA-2026:10214

Vulnerability from csaf_redhat - Published: 2026-04-23 17:30 - Updated: 2026-04-29 04:36

Summary

Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.

Severity

Important

Notes

Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16.

Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2024-29371

A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Vendor Fix It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive. https://access.redhat.com/errata/RHSA-2026:10214

CVE-2026-27099

A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.

4.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2026-27100

A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-551 - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

CVE-2026-33001

A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.

8.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:10214	self
	https://access.redhat.com/security/cve/CVE-2024-29371	external
	https://access.redhat.com/security/cve/CVE-2026-27099	external
	https://access.redhat.com/security/cve/CVE-2026-27100	external
	https://access.redhat.com/security/cve/CVE-2026-33001	external
	https://access.redhat.com/security/updates/classi…	external
	https://access.redhat.com/security/updates/classi…	external
	https://docs.redhat.com/en/documentation/openshif…	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2024-29371	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2423194	external
	https://www.cve.org/CVERecord?id=CVE-2024-29371	external
	https://nvd.nist.gov/vuln/detail/CVE-2024-29371	external
	https://bitbucket.org/b_c/jose4j/issues/220/vuln-…	external
	https://access.redhat.com/security/cve/CVE-2026-27099	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2440638	external
	https://www.cve.org/CVERecord?id=CVE-2026-27099	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-27099	external
	https://www.jenkins.io/security/advisory/2026-02-…	external
	https://access.redhat.com/security/cve/CVE-2026-27100	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2440637	external
	https://www.cve.org/CVERecord?id=CVE-2026-27100	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-27100	external
	https://www.jenkins.io/security/advisory/2026-02-…	external
	https://access.redhat.com/security/cve/CVE-2026-33001	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2448645	external
	https://www.cve.org/CVERecord?id=CVE-2026-33001	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-33001	external
	https://www.jenkins.io/security/advisory/2026-03-…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:10214",
        "url": "https://access.redhat.com/errata/RHSA-2026:10214"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
        "url": "https://access.redhat.com/security/cve/CVE-2024-29371"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
        "url": "https://access.redhat.com/security/cve/CVE-2026-27099"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
        "url": "https://access.redhat.com/security/cve/CVE-2026-27100"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33001"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/jenkins",
        "url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/jenkins"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10214.json"
      }
    ],
    "title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.",
    "tracking": {
      "current_release_date": "2026-04-29T04:36:21+00:00",
      "generator": {
        "date": "2026-04-29T04:36:21+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.6"
        }
      },
      "id": "RHSA-2026:10214",
      "initial_release_date": "2026-04-23T17:30:02+00:00",
      "revision_history": [
        {
          "date": "2026-04-23T17:30:02+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-04-23T17:30:12+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-29T04:36:21+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Developer Tools and Services 4.16",
                "product": {
                  "name": "OpenShift Developer Tools and Services 4.16",
                  "product_id": "OpenShift Developer Tools and Services 4.16",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ocp_tools:4.16::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Developer Tools and Services"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
                "product": {
                  "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
                  "product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
                "product": {
                  "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
                  "product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
                "product": {
                  "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
                  "product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
                "product": {
                  "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
                  "product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
                "product": {
                  "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
                  "product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
                "product": {
                  "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
                  "product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
                "product": {
                  "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
                  "product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
                "product": {
                  "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
                  "product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.16",
          "product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
        },
        "product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
        "relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.16",
          "product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
        },
        "product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
        "relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.16",
          "product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
        },
        "product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
        "relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.16",
          "product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
        },
        "product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
        "relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.16",
          "product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
        },
        "product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
        "relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.16",
          "product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
        },
        "product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
        "relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.16",
          "product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
        },
        "product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
        "relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.16",
          "product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
        },
        "product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
        "relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-29371",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2025-12-17T16:01:18.173727+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2423194"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
        ],
        "known_not_affected": [
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-29371"
        },
        {
          "category": "external",
          "summary": "RHBZ#2423194",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
        },
        {
          "category": "external",
          "summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
          "url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
        }
      ],
      "release_date": "2025-12-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-23T17:30:02+00:00",
          "details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
          "product_ids": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:10214"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
    },
    {
      "cve": "CVE-2026-27099",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2026-02-18T15:02:52.012661+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2440638"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
        ],
        "known_not_affected": [
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-27099"
        },
        {
          "category": "external",
          "summary": "RHBZ#2440638",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
        },
        {
          "category": "external",
          "summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
          "url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
        }
      ],
      "release_date": "2026-02-18T14:17:43.911000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-23T17:30:02+00:00",
          "details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
          "product_ids": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:10214"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
    },
    {
      "cve": "CVE-2026-27100",
      "cwe": {
        "id": "CWE-551",
        "name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
      },
      "discovery_date": "2026-02-18T15:02:47.032150+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2440637"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
        ],
        "known_not_affected": [
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-27100"
        },
        {
          "category": "external",
          "summary": "RHBZ#2440637",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
        },
        {
          "category": "external",
          "summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
          "url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
        }
      ],
      "release_date": "2026-02-18T14:17:44.672000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-23T17:30:02+00:00",
          "details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
          "product_ids": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:10214"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
    },
    {
      "cve": "CVE-2026-33001",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2026-03-18T16:02:14.310096+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2448645"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
        ],
        "known_not_affected": [
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
          "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33001"
        },
        {
          "category": "external",
          "summary": "RHBZ#2448645",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
        },
        {
          "category": "external",
          "summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
          "url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
        }
      ],
      "release_date": "2026-03-18T15:15:23.950000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-23T17:30:02+00:00",
          "details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
          "product_ids": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:10214"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
            "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
    }
  ]
}

CVE-2026-27100 (GCVE-0-2026-27100)

Vulnerability from cvelistv5 – Published: 2026-02-18 14:17 – Updated: 2026-02-18 14:53

Summary

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

jenkins

References

URL

Tags

https://www.jenkins.io/security/advisory/2026-02-…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Jenkins Project	Jenkins	Unaffected: 2.551 , < * (maven) Unaffected: 2.541.2 , < 2.541.* (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27100",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-18T14:50:38.503514Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-200",
                "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-18T14:53:33.264Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Jenkins",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.551",
              "versionType": "maven"
            },
            {
              "lessThan": "2.541.*",
              "status": "unaffected",
              "version": "2.541.2",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-18T14:17:44.672Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-02-18",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-27100",
    "datePublished": "2026-02-18T14:17:44.672Z",
    "dateReserved": "2026-02-17T16:48:49.373Z",
    "dateUpdated": "2026-02-18T14:53:33.264Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-29371 (GCVE-0-2024-29371)

Vulnerability from cvelistv5 – Published: 2025-12-17 00:00 – Updated: 2026-01-23 19:28

Summary

In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Assigner

mitre

References

URL

Tags

https://bitbucket.org/b_c/jose4j/issues/220/vuln-…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-29371",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-17T18:38:20.096134Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1259",
                "description": "CWE-1259 Improper Restriction of Security Token Assignment",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-17T18:48:36.126Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-23T19:28:10.386Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-29371",
    "datePublished": "2025-12-17T00:00:00.000Z",
    "dateReserved": "2024-03-19T00:00:00.000Z",
    "dateUpdated": "2026-01-23T19:28:10.386Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27099 (GCVE-0-2026-27099)

Vulnerability from cvelistv5 – Published: 2026-02-18 14:17 – Updated: 2026-02-18 14:56

Summary

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the "Mark temporarily offline" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

Severity ?

8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

jenkins

References

URL

Tags

https://www.jenkins.io/security/advisory/2026-02-…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Jenkins Project	Jenkins	Unaffected: 0 , < 2.483 (maven) Unaffected: 2.551 , < * (maven) Unaffected: 2.541.2 , < 2.541.* (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-27099",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-18T14:55:42.504808Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-18T14:56:27.973Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Jenkins",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThan": "2.483",
              "status": "unaffected",
              "version": "0",
              "versionType": "maven"
            },
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.551",
              "versionType": "maven"
            },
            {
              "lessThan": "2.541.*",
              "status": "unaffected",
              "version": "2.541.2",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the \"Mark temporarily offline\" offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-18T14:17:43.911Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-02-18",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-27099",
    "datePublished": "2026-02-18T14:17:43.911Z",
    "dateReserved": "2026-02-17T16:48:49.373Z",
    "dateUpdated": "2026-02-18T14:56:27.973Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33001 (GCVE-0-2026-33001)

Vulnerability from cvelistv5 – Published: 2026-03-18 15:15 – Updated: 2026-03-19 12:58

Summary

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Assigner

jenkins

References

URL

Tags

https://www.jenkins.io/security/advisory/2026-03-…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Jenkins Project	Jenkins	Unaffected: 2.555 , < * (maven) Unaffected: 2.541.3 , < 2.541.* (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33001",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-19T03:55:23.659873Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-59",
                "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-19T12:58:23.233Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Jenkins",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.555",
              "versionType": "maven"
            },
            {
              "lessThan": "2.541.*",
              "status": "unaffected",
              "version": "2.541.3",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T15:15:23.950Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2026-03-18",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2026-33001",
    "datePublished": "2026-03-18T15:15:23.950Z",
    "dateReserved": "2026-03-17T15:04:07.615Z",
    "dateUpdated": "2026-03-19T12:58:23.233Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:10214

CVE-2026-27100 (GCVE-0-2026-27100)

CVE-2024-29371 (GCVE-0-2024-29371)

CVE-2026-27099 (GCVE-0-2026-27099)

CVE-2026-33001 (GCVE-0-2026-33001)

Tags

Sightings

Nomenclature