CVE-2026-33001

High CVSS: 8.8

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

Vendor

Jenkins

Product

Jenkins

CWE

CWE-59

Yayın Tarihi

2026-03-18 16:16:28

Güncelleme

2026-03-20 18:08:15

Source Identifier

jenkinsci-cert@googlegroups.com

KEV Date Added

Kategoriler

CWE-59 Jenkins HIGH Jenkins 2026

Referanslar

https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657

Benzer Kayıtlar

High

CVE-2026-33002

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validatio…

Medium

CVE-2026-33003

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins co…

Medium

CVE-2026-33004

Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, incre…

High

CVE-2026-27099

Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-prov…

Medium

CVE-2026-27100

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting…

Medium

CVE-2025-67636

A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permiss…