Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/24312?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24312?format=api", "vulnerability_id": "VCID-22rc-z7ra-dfh8", "summary": "Jenkins has a link following vulnerability allows arbitrary file creation\nJenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.", "aliases": [ { "alias": "CVE-2026-33001" }, { "alias": "GHSA-r6qv-frpc-q66c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67487?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.555", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.555" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/581804?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.554", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22rc-z7ra-dfh8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.554" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33001.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33001.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33001", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30832", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.3083", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30798", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.3074", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.3092", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.30873", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31441", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31407", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31444", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31419", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.33828", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34356", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.33984", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.33965", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.3388", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.33759", "published_at": "2026-05-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33001" }, { "reference_url": "https://github.com/jenkinsci/jenkins", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/jenkins" }, { "reference_url": "https://github.com/jenkinsci/jenkins/commit/6dc99937605d5bddfeaae43a4cd14c2571e23adc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/jenkins/commit/6dc99937605d5bddfeaae43a4cd14c2571e23adc" }, { "reference_url": "https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.555", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.555" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001" }, { "reference_url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-19T03:55:23Z/" } ], "url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645", "reference_id": "2448645", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645" }, { "reference_url": "https://github.com/advisories/GHSA-r6qv-frpc-q66c", "reference_id": "GHSA-r6qv-frpc-q66c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r6qv-frpc-q66c" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10199", "reference_id": "RHSA-2026:10199", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10199" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10201", "reference_id": "RHSA-2026:10201", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10201" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10204", "reference_id": "RHSA-2026:10204", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10204" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10205", "reference_id": "RHSA-2026:10205", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10205" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10206", "reference_id": "RHSA-2026:10206", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10206" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10209", "reference_id": "RHSA-2026:10209", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10209" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10211", "reference_id": "RHSA-2026:10211", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10211" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10213", "reference_id": "RHSA-2026:10213", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10213" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10214", "reference_id": "RHSA-2026:10214", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10214" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10215", "reference_id": "RHSA-2026:10215", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10215" } ], "weaknesses": [ { "cwe_id": 59, "name": "Improper Link Resolution Before File Access ('Link Following')", "description": "The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource." }, { "cwe_id": 61, "name": "UNIX Symbolic Link (Symlink) Following", "description": "The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files." }, { "cwe_id": 22, "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "description": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-22rc-z7ra-dfh8" }