Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-33001 (GCVE-0-2026-33001)
Vulnerability from cvelistv5 – Published: 2026-03-18 15:15 – Updated: 2026-06-30 12:07
VLAI
EPSS
Summary
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
Severity
8.8 (High)
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
14 references
Impacted products
12 products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T03:55:23.659873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T12:58:23.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.12::el8"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.13::el8"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.14::el8"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.15::el8"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.16::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.17::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.17",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.18::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.19::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.21::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.20::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub",
"vendor": "Red Hat"
}
],
"datePublic": "2026-03-18T15:15:23.950Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:07:39.372Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"name": "RHBZ#2448645",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33001.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10215"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:10209: OpenShift Developer Tools and Services 4.12"
},
{
"lang": "en",
"value": "RHSA-2026:10201: OpenShift Developer Tools and Services 4.13"
},
{
"lang": "en",
"value": "RHSA-2026:10211: OpenShift Developer Tools and Services 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:10204: OpenShift Developer Tools and Services 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:10214: OpenShift Developer Tools and Services 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:10213: OpenShift Developer Tools and Services 4.17"
},
{
"lang": "en",
"value": "RHSA-2026:10215: OpenShift Developer Tools and Services 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:10206: OpenShift Developer Tools and Services 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:10199: OpenShift Developer Tools and Services 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:10205: OpenShift Developer Tools and Services 4.2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-18T16:02:14.310Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-03-18T15:15:23.950Z",
"value": "Made public."
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Jenkins",
"vendor": "Jenkins Project",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.555",
"versionType": "maven"
},
{
"lessThan": "2.541.*",
"status": "unaffected",
"version": "2.541.3",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T15:15:23.950Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2026-03-18",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2026-33001",
"datePublished": "2026-03-18T15:15:23.950Z",
"dateReserved": "2026-03-17T15:04:07.615Z",
"dateUpdated": "2026-06-30T12:07:39.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33001",
"date": "2026-06-29",
"epss": "0.0075",
"percentile": "0.50328"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33001\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2026-03-18T16:16:28.067\",\"lastModified\":\"2026-06-30T03:18:35.567\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.\"},{\"lang\":\"es\",\"value\":\"Jenkins 2.554 y anteriores, LTS 2.541.2 y anteriores no maneja de forma segura los enlaces simb\u00f3licos durante la extracci\u00f3n de archivos .tar y .tar.gz, permitiendo que archivos especialmente dise\u00f1ados escriban archivos en ubicaciones arbitrarias del sistema de archivos, restringido \u00fanicamente por los permisos de acceso al sistema de archivos del usuario que ejecuta Jenkins. Esto puede ser explotado para desplegar scripts o plugins maliciosos en el controlador por atacantes con permiso de Elemento/Configurar, o capaces de controlar procesos de agente.\"}],\"affected\":[{\"source\":\"jenkinsci-cert@googlegroups.com\",\"affectedData\":[{\"vendor\":\"Jenkins Project\",\"product\":\"Jenkins\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"2.555\",\"lessThan\":\"*\",\"versionType\":\"maven\",\"status\":\"unaffected\"},{\"version\":\"2.541.3\",\"lessThan\":\"2.541.*\",\"versionType\":\"maven\",\"status\":\"unaffected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.12\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.12::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.13\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.13::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.14\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.14::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.15\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.15::el8\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.16\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.16::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.17\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.17::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.18\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.18::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.19\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.19::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.21\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.21::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"OpenShift Developer Tools and Services 4.2\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:ocp_tools:4.20::el9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Developer Hub\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhdh:1\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-19T03:55:23.659873Z\",\"id\":\"CVE-2026-33001\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\",\"versionEndExcluding\":\"2.541.3\",\"matchCriteriaId\":\"74E8B1F1-D28F-4BC1-B50C-F736D7FA12B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"2.555\",\"matchCriteriaId\":\"D1012DE2-C6E3-4BEA-BA8E-C83B07D8DD25\"}]}]}],\"references\":[{\"url\":\"https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10199\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10201\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10204\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10205\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10206\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10209\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10211\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10213\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10214\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:10215\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-33001\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2448645\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33001.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33001\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-19T03:55:23.659873Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-18T15:50:18.837Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Jenkins Project\", \"product\": \"Jenkins\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.555\", \"lessThan\": \"*\", \"versionType\": \"maven\"}, {\"status\": \"unaffected\", \"version\": \"2.541.3\", \"lessThan\": \"2.541.*\", \"versionType\": \"maven\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657\", \"name\": \"Jenkins Security Advisory 2026-03-18\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.\"}], \"providerMetadata\": {\"orgId\": \"39769cd5-e6e2-4dc8-927e-97b3aa056f5b\", \"shortName\": \"jenkins\", \"dateUpdated\": \"2026-03-18T15:15:23.950Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33001\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-19T12:58:23.233Z\", \"dateReserved\": \"2026-03-17T15:04:07.615Z\", \"assignerOrgId\": \"39769cd5-e6e2-4dc8-927e-97b3aa056f5b\", \"datePublished\": \"2026-03-18T15:15:23.950Z\", \"assignerShortName\": \"jenkins\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
bit-jenkins-2026-33001
Vulnerability from bitnami_vulndb
Published
2026-03-20 09:15
Modified
2026-03-20 09:47
Summary
Details
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "jenkins",
"purl": "pkg:bitnami/jenkins"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.541.3"
},
{
"introduced": "2.542.0"
},
{
"fixed": "2.555.0"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2026-33001"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:maven:*:*"
],
"severity": "High"
},
"details": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.",
"id": "BIT-jenkins-2026-33001",
"modified": "2026-03-20T09:47:33.381Z",
"published": "2026-03-20T09:15:10.344Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"schema_version": "1.6.2"
}
FKIE_CVE-2026-33001
Vulnerability from fkie_nvd - Published: 2026-03-18 16:16 - Updated: 2026-06-30 03:18
Severity
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
References
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "affected",
"product": "Jenkins",
"vendor": "Jenkins Project",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.555",
"versionType": "maven"
},
{
"lessThan": "2.541.*",
"status": "unaffected",
"version": "2.541.3",
"versionType": "maven"
}
]
}
],
"source": "jenkinsci-cert@googlegroups.com"
},
{
"affectedData": [
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.12::el8"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.12",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.13::el8"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.13",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.14::el8"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.15::el8"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.16::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.17::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.17",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.18::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.19::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.21::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:ocp_tools:4.20::el9"
],
"defaultStatus": "affected",
"product": "OpenShift Developer Tools and Services 4.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"defaultStatus": "affected",
"product": "Red Hat Developer Hub",
"vendor": "Red Hat"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "74E8B1F1-D28F-4BC1-B50C-F736D7FA12B1",
"versionEndExcluding": "2.541.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*",
"matchCriteriaId": "D1012DE2-C6E3-4BEA-BA8E-C83B07D8DD25",
"versionEndExcluding": "2.555",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes."
},
{
"lang": "es",
"value": "Jenkins 2.554 y anteriores, LTS 2.541.2 y anteriores no maneja de forma segura los enlaces simb\u00f3licos durante la extracci\u00f3n de archivos .tar y .tar.gz, permitiendo que archivos especialmente dise\u00f1ados escriban archivos en ubicaciones arbitrarias del sistema de archivos, restringido \u00fanicamente por los permisos de acceso al sistema de archivos del usuario que ejecuta Jenkins. Esto puede ser explotado para desplegar scripts o plugins maliciosos en el controlador por atacantes con permiso de Elemento/Configurar, o capaces de controlar procesos de agente."
}
],
"id": "CVE-2026-33001",
"lastModified": "2026-06-30T03:18:35.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-33001",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T03:55:23.659873Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-03-18T16:16:28.067",
"references": [
{
"source": "jenkinsci-cert@googlegroups.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/errata/RHSA-2026:10215"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33001.json"
}
],
"sourceIdentifier": "jenkinsci-cert@googlegroups.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
]
}
GHSA-R6QV-FRPC-Q66C
Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-03-19 23:22
VLAI
Summary
Jenkins has a link following vulnerability allows arbitrary file creation
Details
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
Severity
8.8 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.554"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.555"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33001"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T12:46:21Z",
"nvd_published_at": "2026-03-18T16:16:28Z",
"severity": "HIGH"
},
"details": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.",
"id": "GHSA-r6qv-frpc-q66c",
"modified": "2026-03-19T23:22:20Z",
"published": "2026-03-18T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/6dc99937605d5bddfeaae43a4cd14c2571e23adc"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.555"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jenkins has a link following vulnerability allows arbitrary file creation"
}
RHSA-2026:10199
Vulnerability from csaf_redhat - Published: 2026-04-23 16:00 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.21 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.21 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.21 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10199",
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10199.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.21 security update.",
"tracking": {
"current_release_date": "2026-06-30T04:26:38+00:00",
"generator": {
"date": "2026-06-30T04:26:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:10199",
"initial_release_date": "2026-04-23T16:00:39+00:00",
"revision_history": [
{
"date": "2026-04-23T16:00:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T16:00:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.21",
"product": {
"name": "OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.21::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:00:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:00:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:00:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:00:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10201
Vulnerability from csaf_redhat - Published: 2026-04-23 16:39 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10201",
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10201.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.",
"tracking": {
"current_release_date": "2026-06-30T04:26:38+00:00",
"generator": {
"date": "2026-06-30T04:26:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:10201",
"initial_release_date": "2026-04-23T16:39:39+00:00",
"revision_history": [
{
"date": "2026-04-23T16:39:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T16:39:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.13",
"product": {
"name": "OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.13::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776764096"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10204
Vulnerability from csaf_redhat - Published: 2026-04-23 16:56 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10204",
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10204.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.",
"tracking": {
"current_release_date": "2026-06-30T04:26:38+00:00",
"generator": {
"date": "2026-06-30T04:26:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:10204",
"initial_release_date": "2026-04-23T16:56:17+00:00",
"revision_history": [
{
"date": "2026-04-23T16:56:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T16:56:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.15",
"product": {
"name": "OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.15::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Aec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Afa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10205
Vulnerability from csaf_redhat - Published: 2026-04-23 17:06 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10205",
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10205.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.",
"tracking": {
"current_release_date": "2026-06-30T04:26:40+00:00",
"generator": {
"date": "2026-06-30T04:26:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:10205",
"initial_release_date": "2026-04-23T17:06:07+00:00",
"revision_history": [
{
"date": "2026-04-23T17:06:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:06:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.2",
"product": {
"name": "OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.20::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10206
Vulnerability from csaf_redhat - Published: 2026-04-23 17:15 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10206",
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10206.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.",
"tracking": {
"current_release_date": "2026-06-30T04:26:40+00:00",
"generator": {
"date": "2026-06-30T04:26:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:10206",
"initial_release_date": "2026-04-23T17:15:37+00:00",
"revision_history": [
{
"date": "2026-04-23T17:15:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:15:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.19",
"product": {
"name": "OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.19::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10209
Vulnerability from csaf_redhat - Published: 2026-04-23 17:20 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10209",
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10209.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.",
"tracking": {
"current_release_date": "2026-06-30T04:26:40+00:00",
"generator": {
"date": "2026-06-30T04:26:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:10209",
"initial_release_date": "2026-04-23T17:20:35+00:00",
"revision_history": [
{
"date": "2026-04-23T17:20:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:20:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.12",
"product": {
"name": "OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.12::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776764096"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10211
Vulnerability from csaf_redhat - Published: 2026-04-23 17:21 - Updated: 2026-06-30 04:26Summary
Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.
Severity
Important
Notes
Topic: An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14.
Details: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
7.5 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
4.6 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
4.3 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
8.8 (High)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
Known not affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
Threats
Impact
Important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10211",
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10211.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.",
"tracking": {
"current_release_date": "2026-06-30T04:26:40+00:00",
"generator": {
"date": "2026-06-30T04:26:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.0"
}
},
"id": "RHSA-2026:10211",
"initial_release_date": "2026-04-23T17:21:09+00:00",
"revision_history": [
{
"date": "2026-04-23T17:21:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:21:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-30T04:26:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.14",
"product": {
"name": "OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.14::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Aec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Afa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…