Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-29371 (GCVE-0-2024-29371)
Vulnerability from cvelistv5 – Published: 2025-12-17 00:00 – Updated: 2026-01-23 19:28
VLAI
EPSS
Summary
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
Severity
7.5 (High)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29371",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T18:38:20.096134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1259",
"description": "CWE-1259 Improper Restriction of Security Token Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T18:48:36.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T19:28:10.386Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29371",
"datePublished": "2025-12-17T00:00:00.000Z",
"dateReserved": "2024-03-19T00:00:00.000Z",
"dateUpdated": "2026-01-23T19:28:10.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-29371",
"date": "2026-05-30",
"epss": "0.00021",
"percentile": "0.06297"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-29371\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-12-17T16:16:04.567\",\"lastModified\":\"2026-01-23T20:15:51.650\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1259\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jose4j_project:jose4j:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.9.5\",\"matchCriteriaId\":\"DE62FF6D-FC62-42B0-9ED4-76A0C4419975\"}]}]}],\"references\":[{\"url\":\"https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Mitigation\"]},{\"url\":\"https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Mitigation\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-29371\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-17T18:38:20.096134Z\"}}}], \"references\": [{\"url\": \"https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack\", \"tags\": [\"exploit\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1259\", \"description\": \"CWE-1259 Improper Restriction of Security Token Assignment\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-17T18:15:31.759Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2026-01-23T19:28:10.386Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-29371\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-23T19:28:10.386Z\", \"dateReserved\": \"2024-03-19T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-12-17T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2026:10201
Vulnerability from csaf_redhat - Published: 2026-04-23 16:39 - Updated: 2026-05-05 03:16Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10201",
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10201.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.",
"tracking": {
"current_release_date": "2026-05-05T03:16:31+00:00",
"generator": {
"date": "2026-05-05T03:16:31+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:10201",
"initial_release_date": "2026-04-23T16:39:39+00:00",
"revision_history": [
{
"date": "2026-04-23T16:39:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T16:39:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T03:16:31+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.13",
"product": {
"name": "OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.13::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776764096"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10204
Vulnerability from csaf_redhat - Published: 2026-04-23 16:56 - Updated: 2026-05-05 03:16Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10204",
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10204.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.",
"tracking": {
"current_release_date": "2026-05-05T03:16:32+00:00",
"generator": {
"date": "2026-05-05T03:16:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:10204",
"initial_release_date": "2026-04-23T16:56:17+00:00",
"revision_history": [
{
"date": "2026-04-23T16:56:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T16:56:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T03:16:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.15",
"product": {
"name": "OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.15::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Aec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Afa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10205
Vulnerability from csaf_redhat - Published: 2026-04-23 17:06 - Updated: 2026-05-05 03:16Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10205",
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10205.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.",
"tracking": {
"current_release_date": "2026-05-05T03:16:32+00:00",
"generator": {
"date": "2026-05-05T03:16:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:10205",
"initial_release_date": "2026-04-23T17:06:07+00:00",
"revision_history": [
{
"date": "2026-04-23T17:06:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:06:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T03:16:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.2",
"product": {
"name": "OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.20::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10206
Vulnerability from csaf_redhat - Published: 2026-04-23 17:15 - Updated: 2026-05-05 03:16Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10206",
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10206.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.",
"tracking": {
"current_release_date": "2026-05-05T03:16:32+00:00",
"generator": {
"date": "2026-05-05T03:16:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:10206",
"initial_release_date": "2026-04-23T17:15:37+00:00",
"revision_history": [
{
"date": "2026-04-23T17:15:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:15:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T03:16:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.19",
"product": {
"name": "OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.19::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10209
Vulnerability from csaf_redhat - Published: 2026-04-23 17:20 - Updated: 2026-05-05 03:16Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10209",
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10209.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.",
"tracking": {
"current_release_date": "2026-05-05T03:16:33+00:00",
"generator": {
"date": "2026-05-05T03:16:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:10209",
"initial_release_date": "2026-04-23T17:20:35+00:00",
"revision_history": [
{
"date": "2026-04-23T17:20:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:20:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T03:16:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.12",
"product": {
"name": "OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.12::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776764096"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10211
Vulnerability from csaf_redhat - Published: 2026-04-23 17:21 - Updated: 2026-05-05 03:16Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10211",
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10211.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.",
"tracking": {
"current_release_date": "2026-05-05T03:16:33+00:00",
"generator": {
"date": "2026-05-05T03:16:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:10211",
"initial_release_date": "2026-04-23T17:21:09+00:00",
"revision_history": [
{
"date": "2026-04-23T17:21:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:21:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T03:16:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.14",
"product": {
"name": "OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.14::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Aec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Afa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10213
Vulnerability from csaf_redhat - Published: 2026-04-23 17:30 - Updated: 2026-05-05 03:16Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.17 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.17 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.17 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10213",
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10213.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.17 security update.",
"tracking": {
"current_release_date": "2026-05-05T03:16:34+00:00",
"generator": {
"date": "2026-05-05T03:16:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:10213",
"initial_release_date": "2026-04-23T17:30:00+00:00",
"revision_history": [
{
"date": "2026-04-23T17:30:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:30:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T03:16:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.17",
"product": {
"name": "OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.17::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:00+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:00+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:00+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:00+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10214
Vulnerability from csaf_redhat - Published: 2026-04-23 17:30 - Updated: 2026-05-05 03:16Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10214",
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10214.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.",
"tracking": {
"current_release_date": "2026-05-05T03:16:34+00:00",
"generator": {
"date": "2026-05-05T03:16:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:10214",
"initial_release_date": "2026-04-23T17:30:02+00:00",
"revision_history": [
{
"date": "2026-04-23T17:30:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:30:12+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T03:16:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.16",
"product": {
"name": "OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.16::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:02+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:02+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:02+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:02+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10215
Vulnerability from csaf_redhat - Published: 2026-04-23 17:30 - Updated: 2026-05-05 03:16Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.18 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.18.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.18 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.18.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.18 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10215",
"url": "https://access.redhat.com/errata/RHSA-2026:10215"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10215.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.18 security update.",
"tracking": {
"current_release_date": "2026-05-05T03:16:34+00:00",
"generator": {
"date": "2026-05-05T03:16:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2026:10215",
"initial_release_date": "2026-04-23T17:30:01+00:00",
"revision_history": [
{
"date": "2026-04-23T17:30:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:30:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-05T03:16:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.18",
"product": {
"name": "OpenShift Developer Tools and Services 4.18",
"product_id": "OpenShift Developer Tools and Services 4.18",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.18::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.18",
"product_id": "OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.18",
"product_id": "OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.18",
"product_id": "OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.18",
"product_id": "OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.18",
"product_id": "OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.18",
"product_id": "OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.18",
"product_id": "OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.18"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.18",
"product_id": "OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.18"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:01+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.18 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10215"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:01+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.18 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10215"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:01+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.18 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10215"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:01+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.18 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10215"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.18:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:13571
Vulnerability from csaf_redhat - Published: 2026-05-04 23:37 - Updated: 2026-05-30 20:54Summary
Red Hat Security Advisory: Streams for Apache Kafka 3.2.0 release and security update
Severity
Critical
Notes
Topic: Streams for Apache Kafka 3.2.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat Streams for Apache Kafka 3.2.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.1.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Drain Cleaner, Kafks Exporter - Eclipse Vert.x Web static handler file access denial [amq-st-3.2]"(CVE-2026-1002)"
* Drain Cleaner, Kroxylicous - Netty denial of service[amqst-3.2]"(CVE-2026-33871)"
* Drain Cleaner, Kroxylicous - Netty request smuggling attacks[amqst-3.2]"(CVE-2026-33870)"
* Cruise Control - jose4j denial of service [amqst-3.2]"(CVE-2024-29371)"
* Kafka Exporter - golang-github-danielqsj-kafka_exporter: Memory exhaustion in query parameter parsing in net/url [amq-st-3.2]"(CVE-2025-61726)"
* Kafka Exporter - golang-github-danielqsj-kafka_exporter: golang: Denial of Service due to excessive resource consumption via crafted certificate [amq-st-3.2]"(CVE-2025-61729)"
* Kafka Exporter - golang-github-danielqsj-kafka_exporter: Unexpected session resumption in crypto/tls [amqst-3.2]"(CVE-2025-68121)"
* console UI - Next.js Server-Side Request Forgery in Server Actions [amqst-3.2]"(CVE-2024-34351)"
* console UI - com.github.streamshub-console: Next.js: Unbounded next/image disk cache growth can exhaust storage[amqst-3.2]"(CVE-2026-27980)"
* console UI - Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [amqst-3.2]"(CVE-2025-62718)"
* console UI - React Server Components: Denial of Service via specially crafted HTTP requests [amqst-3.2]"(CVE-2026-23864)"
* console UI - Axios: Remote Code Execution via Prototype Pollution escalation [amqst-3.2]"(CVE-2026-40175)"
* console UI - lodash: Arbitrary code execution via untrusted input in template imports [amqst-3.2]"(CVE-2026-4800)"
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NO_PROXY rules. An attacker can exploit this by crafting requests to loopback addresses (e.g., localhost. or [::1]) which bypass the NO_PROXY configuration and are routed through the configured proxy. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, enabling attackers to access sensitive internal or loopback services that should otherwise be protected.
7.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in React Server Components. A remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to Server Function endpoints. This can lead to a Denial of Service (DoS), causing server crashes, out-of-memory exceptions, or excessive CPU usage, thereby impacting the availability of applications.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
An unbounded disk usage flaw has been discovered in Next.js. The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass security controls or access unauthorized information.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Netty. A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume excessive CPU resources. This can render the server unresponsive with minimal bandwidth usage.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific "Gadget" attack chain. This allows an attacker to escalate a Prototype Pollution vulnerability in a third-party dependency, potentially leading to remote code execution or a full cloud compromise, such as bypassing AWS IMDSv2.
9.0 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Streams for Apache Kafka 3.2.0
Red Hat / Red Hat OpenShift Enterprise
|
cpe:/a:redhat:amq_streams:3.2::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
107 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Streams for Apache Kafka 3.2.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 3.2.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.1.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Drain Cleaner, Kafks Exporter - Eclipse Vert.x Web static handler file access denial [amq-st-3.2]\"(CVE-2026-1002)\"\n* Drain Cleaner, Kroxylicous - Netty denial of service[amqst-3.2]\"(CVE-2026-33871)\"\n* Drain Cleaner, Kroxylicous - Netty request smuggling attacks[amqst-3.2]\"(CVE-2026-33870)\"\n* Cruise Control - jose4j denial of service [amqst-3.2]\"(CVE-2024-29371)\"\n* Kafka Exporter - golang-github-danielqsj-kafka_exporter: Memory exhaustion in query parameter parsing in net/url [amq-st-3.2]\"(CVE-2025-61726)\"\n* Kafka Exporter - golang-github-danielqsj-kafka_exporter: golang: Denial of Service due to excessive resource consumption via crafted certificate [amq-st-3.2]\"(CVE-2025-61729)\"\n* Kafka Exporter - golang-github-danielqsj-kafka_exporter: Unexpected session resumption in crypto/tls [amqst-3.2]\"(CVE-2025-68121)\"\n* console UI - Next.js Server-Side Request Forgery in Server Actions [amqst-3.2]\"(CVE-2024-34351)\"\n* console UI - com.github.streamshub-console: Next.js: Unbounded next/image disk cache growth can exhaust storage[amqst-3.2]\"(CVE-2026-27980)\"\n* console UI - Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [amqst-3.2]\"(CVE-2025-62718)\"\n* console UI - React Server Components: Denial of Service via specially crafted HTTP requests [amqst-3.2]\"(CVE-2026-23864)\"\n* console UI - Axios: Remote Code Execution via Prototype Pollution escalation [amqst-3.2]\"(CVE-2026-40175)\"\n* console UI - lodash: Arbitrary code execution via untrusted input in template imports [amqst-3.2]\"(CVE-2026-4800)\"",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:13571",
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "2430180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430180"
},
{
"category": "external",
"summary": "2433059",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433059"
},
{
"category": "external",
"summary": "2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "2448509",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448509"
},
{
"category": "external",
"summary": "2452453",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452453"
},
{
"category": "external",
"summary": "2452456",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452456"
},
{
"category": "external",
"summary": "2453496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453496"
},
{
"category": "external",
"summary": "2454387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454387"
},
{
"category": "external",
"summary": "2456913",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456913"
},
{
"category": "external",
"summary": "2457432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457432"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_13571.json"
}
],
"title": "Red Hat Security Advisory: Streams for Apache Kafka 3.2.0 release and security update",
"tracking": {
"current_release_date": "2026-05-30T20:54:24+00:00",
"generator": {
"date": "2026-05-30T20:54:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2026:13571",
"initial_release_date": "2026-05-04T23:37:19+00:00",
"revision_history": [
{
"date": "2026-05-04T23:37:19+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-04T23:37:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-30T20:54:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Streams for Apache Kafka 3.2.0",
"product": {
"name": "Streams for Apache Kafka 3.2.0",
"product_id": "Streams for Apache Kafka 3.2.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_streams:3.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2024-34351",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-04-02T15:56:14.719577+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2454387"
}
],
"notes": [
{
"category": "description",
"text": "A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "next: Next.js Server-Side Request Forgery in Server Actions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-34351"
},
{
"category": "external",
"summary": "RHBZ#2454387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454387"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-34351",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34351"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-34351",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34351"
},
{
"category": "external",
"summary": "https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085",
"url": "https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085"
},
{
"category": "external",
"summary": "https://github.com/vercel/next.js/pull/62561",
"url": "https://github.com/vercel/next.js/pull/62561"
},
{
"category": "external",
"summary": "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g"
}
],
"release_date": "2024-05-09T16:14:16.236000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "next: Next.js Server-Side Request Forgery in Server Actions"
},
{
"cve": "CVE-2025-61726",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-01-28T20:01:42.791305+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2434432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query parameters will cause the application to consume an excessive amount of memory, eventually causing the application to crash or become unresponsive, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/url: Memory exhaustion in query parameter parsing in net/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this flaw, an attacker must be able to send a specially crafted HTTP request to an application parsing URL-encoded forms with net/url, specifically a request containing a large number of unique query parameters. The request will cause the application to consume an excessive amount of memory and eventually result in a denial of service, with no impact to confidentiality or integrity. Due to this reason, this vulnerability has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61726"
},
{
"category": "external",
"summary": "RHBZ#2434432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61726",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"category": "external",
"summary": "https://go.dev/cl/736712",
"url": "https://go.dev/cl/736712"
},
{
"category": "external",
"summary": "https://go.dev/issue/77101",
"url": "https://go.dev/issue/77101"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc",
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4341",
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"release_date": "2026-01-28T19:30:31.215000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/url: Memory exhaustion in query parameter parsing in net/url"
},
{
"cve": "CVE-2025-61729",
"cwe": {
"id": "CWE-1050",
"name": "Excessive Platform Resource Consumption within a Loop"
},
"discovery_date": "2025-12-02T20:01:45.330964+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2418462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial of service (DoS) for the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-61729"
},
{
"category": "external",
"summary": "RHBZ#2418462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-61729",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61729"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61729"
},
{
"category": "external",
"summary": "https://go.dev/cl/725920",
"url": "https://go.dev/cl/725920"
},
{
"category": "external",
"summary": "https://go.dev/issue/76445",
"url": "https://go.dev/issue/76445"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4",
"url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4155",
"url": "https://pkg.go.dev/vuln/GO-2025-4155"
}
],
"release_date": "2025-12-02T18:54:10.166000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate"
},
{
"cve": "CVE-2025-62718",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-04-09T15:01:48.111177+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456913"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NO_PROXY rules. An attacker can exploit this by crafting requests to loopback addresses (e.g., localhost. or [::1]) which bypass the NO_PROXY configuration and are routed through the configured proxy. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, enabling attackers to access sensitive internal or loopback services that should otherwise be protected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw has limited impact due to combination of non-default conditions to exploit: the attacker must be able to control or influence URLs passed to axios in a server-side context, the application must have both `HTTP_PROXY` and `NO_PROXY` configured, and the proxy itself must be positioned to act on the misdirected traffic or have been compromised by the attacker to intercept the rerouted traffic.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-62718"
},
{
"category": "external",
"summary": "RHBZ#2456913",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456913"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-62718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62718"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1",
"url": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2",
"url": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df",
"url": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/pull/10661",
"url": "https://github.com/axios/axios/pull/10661"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/releases/tag/v1.15.0",
"url": "https://github.com/axios/axios/releases/tag/v1.15.0"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5",
"url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
}
],
"release_date": "2026-04-09T14:31:46.067000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization"
},
{
"cve": "CVE-2025-68121",
"discovery_date": "2026-02-05T18:01:30.086058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2437111"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security (TLS) session resumption when certificate authority (CA) settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing a client or server to establish a connection that should have been rejected. This could lead to an authentication bypass under specific conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a moderate flaw because it only occurs under specific conditions, such as TLS session resumption with runtime changes to certificate authority settings. Exploitation is not straightforward and requires a controlled setup. The impact is limited to certificate validation within the same component and does not affect system availability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68121"
},
{
"category": "external",
"summary": "RHBZ#2437111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68121"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"category": "external",
"summary": "https://go.dev/cl/737700",
"url": "https://go.dev/cl/737700"
},
{
"category": "external",
"summary": "https://go.dev/issue/77217",
"url": "https://go.dev/issue/77217"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4337",
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"release_date": "2026-02-05T17:48:44.141000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption"
},
{
"cve": "CVE-2026-1002",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2026-01-15T21:03:20.088599+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2430180"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Vert.x. The Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URIs, preventing legitimate users from accessing static files with an HTTP 404 response.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability allows a remote attacker to block access to specific static files, such as images, CSS or HTML files. However, the underlying Vert.x server, the API endpoints and other non-cached resources are not affected. Due to this reason, this issue has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-1002"
},
{
"category": "external",
"summary": "RHBZ#2430180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430180"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-1002",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1002"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/5895",
"url": "https://github.com/eclipse-vertx/vert.x/pull/5895"
}
],
"release_date": "2026-01-15T20:50:25.642000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, consider disabling the static handler cache by configuring the StaticHandler instance with setCachingEnabled(false), for example:\n\n~~~\nStaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);\n~~~",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files"
},
{
"cve": "CVE-2026-4800",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2026-03-31T20:01:21.918257+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453496"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lodash: lodash: Arbitrary code execution via untrusted input in template imports",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the context of Red Hat Enterprise Linux, the grafana and grafana-pcp packages execute the affected JavaScript entirely client-side within the user\u0027s browser. Consequently, the attack surface is strictly restricted to the local browser environment.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4800"
},
{
"category": "external",
"summary": "RHBZ#2453496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"category": "external",
"summary": "https://cna.openjsf.org/security-advisories.html",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm"
},
{
"category": "external",
"summary": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c",
"url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c"
}
],
"release_date": "2026-03-31T19:25:55.987000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lodash: lodash: Arbitrary code execution via untrusted input in template imports"
},
{
"cve": "CVE-2026-23864",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-01-26T20:01:54.396535+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2433059"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in React Server Components. A remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to Server Function endpoints. This can lead to a Denial of Service (DoS), causing server crashes, out-of-memory exceptions, or excessive CPU usage, thereby impacting the availability of applications.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-23864"
},
{
"category": "external",
"summary": "RHBZ#2433059",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433059"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-23864",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23864"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-23864",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23864"
},
{
"category": "external",
"summary": "https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg",
"url": "https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg"
},
{
"category": "external",
"summary": "https://www.facebook.com/security/advisories/cve-2026-23864",
"url": "https://www.facebook.com/security/advisories/cve-2026-23864"
}
],
"release_date": "2026-01-26T19:16:38.250000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests"
},
{
"cve": "CVE-2026-27980",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-03-18T01:01:36.393672+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448509"
}
],
"notes": [
{
"category": "description",
"text": "An unbounded disk usage flaw has been discovered in Next.js. The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27980"
},
{
"category": "external",
"summary": "RHBZ#2448509",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448509"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27980",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27980"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27980",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27980"
},
{
"category": "external",
"summary": "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd",
"url": "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd"
},
{
"category": "external",
"summary": "https://github.com/vercel/next.js/releases/tag/v16.1.7",
"url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"
},
{
"category": "external",
"summary": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8"
}
],
"release_date": "2026-03-18T00:23:34.862000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage"
},
{
"cve": "CVE-2026-33870",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2026-03-27T21:01:59.865839+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452453"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. A remote attacker could exploit this vulnerability by sending specially crafted HTTP/1.1 chunked transfer encoding extension values. Due to incorrect parsing of quoted strings, this flaw enables request smuggling attacks, potentially allowing an attacker to bypass security controls or access unauthorized information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33870"
},
{
"category": "external",
"summary": "RHBZ#2452453",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452453"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33870",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33870"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33870"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8",
"url": "https://github.com/netty/netty/security/advisories/GHSA-pwqr-wmgm-9rr8"
},
{
"category": "external",
"summary": "https://w4ke.info/2025/06/18/funky-chunks.html",
"url": "https://w4ke.info/2025/06/18/funky-chunks.html"
},
{
"category": "external",
"summary": "https://w4ke.info/2025/10/29/funky-chunks-2.html",
"url": "https://w4ke.info/2025/10/29/funky-chunks-2.html"
},
{
"category": "external",
"summary": "https://www.rfc-editor.org/rfc/rfc9110",
"url": "https://www.rfc-editor.org/rfc/rfc9110"
}
],
"release_date": "2026-03-27T19:54:15.586000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values"
},
{
"cve": "CVE-2026-33871",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-03-27T21:02:13.396015+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2452456"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server\u0027s lack of a limit on these frames, coupled with a bypass of size-based mitigations using zero-byte frames, allows an attacker to consume excessive CPU resources. This can render the server unresponsive with minimal bandwidth usage.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This important vulnerability in Netty HTTP/2 servers allows a remote attacker to cause a Denial of Service by sending a flood of CONTINUATION frames. This can lead to excessive CPU consumption and render the server unresponsive. Red Hat products utilizing affected Netty versions, such as Red Hat AMQ, Enterprise Application Platform, and OpenShift Container Platform components, are impacted if configured to use HTTP/2.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33871"
},
{
"category": "external",
"summary": "RHBZ#2452456",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452456"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33871",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33871"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33871"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-w9fj-cfpg-grvv"
}
],
"release_date": "2026-03-27T19:55:23.135000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood"
},
{
"cve": "CVE-2026-40175",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2026-04-10T20:02:10.296601+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2457432"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific \"Gadget\" attack chain. This allows an attacker to escalate a Prototype Pollution vulnerability in a third-party dependency, potentially leading to remote code execution or a full cloud compromise, such as bypassing AWS IMDSv2.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "axios: Axios: Remote Code Execution via Prototype Pollution escalation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Axios library, a promise-based HTTP client, is susceptible to an Important prototype pollution vulnerability. This flaw, when combined with specific \"Gadget\" attack chains in third-party dependencies, can lead to remote code execution or full cloud compromise, including bypassing AWS IMDSv2.\n \nWith pollution check patch available in Axios gives an advantage, it remains vulnerable due to HTTP Header Sanitation and Server-Side Request Forgery threat.\n\nRed Hat products that incorporate the vulnerable Axios library are affected.\n\nThe openshift4/ose-monitoring-plugin-rhel9 container image is not vulnerable to this flaw. The affected component is used as a build-time dependency but it\u0027s not shipped in the final product, meaning the flaw is not present thus cannot be exploited in the container deployments.\n\nRegarding openshift4/ose-console for Product stream 4.12 and 4.13, the vulnerable component is present (indirect dependency), but the vulnerability is not exploitable in our case due to the browser runtime, where the required Node.js-specific attack vectors are not available. With this, the impact becomes low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.2.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40175"
},
{
"category": "external",
"summary": "RHBZ#2457432",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457432"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40175",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40175"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1",
"url": "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/pull/10660",
"url": "https://github.com/axios/axios/pull/10660"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/releases/tag/v1.15.0",
"url": "https://github.com/axios/axios/releases/tag/v1.15.0"
},
{
"category": "external",
"summary": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx",
"url": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx"
}
],
"release_date": "2026-04-10T19:23:52.285000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-04T23:37:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.2.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:13571"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.2.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "axios: Axios: Remote Code Execution via Prototype Pollution escalation"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…