VulnerableCode Package Details - pkg:maven/org.jenkins-ci.main/jenkins-core@2.555

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-22rc-z7ra-dfh8	Jenkins has a link following vulnerability allows arbitrary file creation Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.	CVE-2026-33001 GHSA-r6qv-frpc-q66c
VCID-as34-f89r-e7ck	Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.	CVE-2026-33002 GHSA-phhv-63fh-rrc8

Vulnerability

Summary

Aliases

VCID-22rc-z7ra-dfh8

Jenkins has a link following vulnerability allows arbitrary file creation Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

CVE-2026-33001
GHSA-r6qv-frpc-q66c

VCID-as34-f89r-e7ck

Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.

CVE-2026-33002
GHSA-phhv-63fh-rrc8

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-18T04:14:58.576015+00:00	GitLab Importer	Fixing	VCID-22rc-z7ra-dfh8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.main/jenkins-core/CVE-2026-33001.yml	38.4.0
2026-04-18T04:14:57.302842+00:00	GitLab Importer	Fixing	VCID-as34-f89r-e7ck	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.main/jenkins-core/CVE-2026-33002.yml	38.4.0
2026-04-02T17:01:13.788470+00:00	GHSA Importer	Fixing	VCID-22rc-z7ra-dfh8	https://github.com/advisories/GHSA-r6qv-frpc-q66c	38.1.0
2026-04-02T17:01:13.735795+00:00	GHSA Importer	Fixing	VCID-as34-f89r-e7ck	https://github.com/advisories/GHSA-phhv-63fh-rrc8	38.1.0
2026-04-01T12:54:08.259262+00:00	GithubOSV Importer	Fixing	VCID-as34-f89r-e7ck	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-phhv-63fh-rrc8/GHSA-phhv-63fh-rrc8.json	38.0.0
2026-04-01T12:53:42.566085+00:00	GithubOSV Importer	Fixing	VCID-22rc-z7ra-dfh8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-r6qv-frpc-q66c/GHSA-r6qv-frpc-q66c.json	38.0.0