Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKG2iZg1KbFqEC3ZiiZqPNnDKUA0RQZQ-mmD0EY4xGO=_6_-iw@mail.gmail.com>
Date: Wed, 24 Jun 2026 14:38:55 +0200
From: Kevin Guerroudj <kguerroudj@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Active Directory Plugin 2.41.2
* Bitbucket Push and Pull Request Plugin 3.3.9
* Contrast Continuous Application Security Plugin 3.12
* EC2 Fleet Plugin 4.2.3.540.va_6eedb_7b_c112
* External Workspace Manager Plugin 1.4.0
* Git client Plugin 6.6.1
* Git Parameter Plugin 462.463.v496a_59f698e5
* Gitee Plugin 1292.v2559f2f3f2c0
* GitHub Branch Source Plugin 1967.1970.vd86979736546
* Job Configuration History Plugin 1367.vc8fa_b_15101dc
* MCP Server Plugin 0.178.vffe5a_e770f3b_
* Pipeline: Groovy Plugin 4331.4333.v50a_b_076c5199
* Priority Sorter Plugin 936.937.v5581d0b_2ccb_a_
* Script Security Plugin 1402.1405.vc96e74964250

Additionally, we announce unresolved security issues in the following
plugins:

* Assembla Plugin
* FitNesse Plugin
* OWASP ZAP Plugin
* Zowe zDevOps Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2026-06-24/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3792 / CVE-2026-57280
Script Security Plugin provides a sandbox feature that allows running
user-provided scripts safely by intercepting and checking potentially
unsafe operations.

Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept
the implicit type cast applied to each element of the iterated collection
in a typed `for` loop (e.g. `for (Type t in collection)`), as this cast is
performed during bytecode generation rather than in the transformed script
AST.

This allows attackers able to provide sandboxed scripts to invoke
constructors of arbitrary types without those invocations being checked by
the sandbox, bypassing the sandbox protection. This can be used to execute
arbitrary code on the Jenkins controller.


SECURITY-3793 / CVE-2026-57281
Script Security Plugin 1402.v94c9ce464861 and earlier does not reject
Groovy AST transformation annotations such as `@...pileStatic` and
`@...eChecked` that carry an `extensions` member, which causes Groovy to
load and execute a script from the classpath at compile time, before the
sandbox is applied.

This may allow attackers able to define and run sandboxed scripts to
execute code outside the sandbox, in the rare case that a suitable Groovy
script is present on the classpath of the component that evaluates the
script.

NOTE: The Jenkins security team has been unable to identify any Groovy
source files in Jenkins core or plugins that would allow attackers to
execute dangerous code. While the severity of this issue is declared as
High due to the potential impact, successful exploitation is considered
very unlikely.


SECURITY-3723 / CVE-2026-57282
Git client Plugin 6.6.0 and earlier does not correctly escape the workspace
directory name when it is embedded into the SSH wrapper script generated by
the "Manually provided keys" Git Host Key Verification strategy on Unix
agents.

This allows attackers able to control the name of a build's working
directory (e.g. through a build parameter that determines the workspace
directory) to inject shell command substitution and execute arbitrary
commands on the agent.

NOTE: This vulnerability only has an impact when attackers can control
working directories (e.g., the argument to the `dir(…)` Pipeline step)
while not being able to control the Pipeline itself or the programs or
build scripts it executes.

NOTE: This vulnerability has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.


SECURITY-3677 / CVE-2026-57283 (CSRF) & CVE-2026-57284 (unrestricted
instantiation of types)
Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict
the types that can be instantiated through the Pipeline Snippet Generator,
instantiating any type with a constructor annotated with
`@...aBoundConstructor` in response to a request.

This allows attackers to have Pipeline: Groovy Plugin instantiate types
related to job or system configuration other than Pipeline steps.

Additionally, this HTTP endpoint can be accessed using the GET method and
does not require POST requests, resulting in a cross-site request forgery
(CSRF) vulnerability. This allows attackers to create a script approval
request attributed to another user, impersonating a trusted user when
social engineering an administrator into approving a malicious script.

NOTE: This vulnerability has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.


SECURITY-3808 / CVE-2026-57285
GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier does not
perform a permission check in an HTTP endpoint that lists the GitHub API
endpoints configured in the global plugin configuration.

This allows attackers with Overall/Read permission to obtain the URLs of
GitHub Enterprise servers configured by administrators.

NOTE: This vulnerability has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.


SECURITY-3745 / CVE-2026-57286
Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier does not perform a
permission check in an HTTP endpoint that populates the list of values for
Git parameters by querying the SCM configured on a job, using the SCM
credentials configured in Jenkins.

This allows attackers with Item/Read permission to obtain information about
the SCM repository used by a job they would otherwise be unable to access,
such as branch names, tag names, and revision metadata.


SECURITY-3742 / CVE-2026-57287
Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not
redact the encrypted values of secrets when displaying historical job and
agent configurations through its "View as XML" / "(RAW)" feature and its
configuration diff views.

This allows attackers with Item/Extended Read permission (but not
Item/Configure permission) to view the encrypted values of secrets, such as
build trigger tokens, that Jenkins would otherwise redact from the
configuration shown to them.


SECURITY-3651 / CVE-2026-57288
In Active Directory Plugin 2.41.1 and earlier, the Windows native (ADSI)
authentication path does not escape the user name before building the LDAP
search filter.

This allows unauthenticated attackers to inject LDAP wildcard characters
into the user name, enabling them to enumerate directory user and group
names, and to authenticate as a matching user when they know that user's
password but not their exact user name.


SECURITY-3759 / CVE-2026-57300
MCP Server Plugin 0.177.v629fdb_2557fe and earlier does not perform a
permission check in the `getReplayScripts` MCP tool that returns the replay
script of a Pipeline build.

This allows attackers with Item/Read permission to obtain the Pipeline
script of jobs.


SECURITY-3856 / CVE-2026-57289
Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally
disables SSL/TLS certificate and hostname validation for the connections it
makes to Bitbucket Server using Bearer token authentication.

Because the Bearer token is transmitted in these requests, this allows
attackers able to intercept network traffic to capture the token and
impersonate the Jenkins controller to Bitbucket Server.


SECURITY-3769 / CVE-2026-57290
Priority Sorter Plugin 936.v2c01c6b_84449 and earlier does not require POST
requests in an HTTP endpoint that saves the global job priority
configuration.

This allows attackers to overwrite the global job priority configuration.


SECURITY-3762 (1) / CVE-2026-57291 (missing permission check) &
CVE-2026-57292 (CSRF)
Gitee Plugin 1288.v18b_deb_c9069b_ and earlier does not perform permission
checks in several HTTP endpoints implementing form validation for its
global configuration.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.


SECURITY-3762 (2) / CVE-2026-57293
Gitee Plugin 1288.v18b_deb_c9069b_ and earlier does not correctly perform a
permission check in an HTTP endpoint.

This allows attackers with global Item/Configure permission (while lacking
Item/Configure permission on any particular job) to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-3774 / CVE-2026-57294 (missing permission check) & CVE-2026-57295
(CSRF)
EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier does not perform
permission checks in several HTTP endpoints used to validate cloud
configurations.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing AWS credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.


SECURITY-3777 / CVE-2026-57296
External Workspace Manager Plugin 1.3.2 and earlier does not reject `..`
path segments when validating the custom workspace path provided to the
`exwsAllocate` Pipeline step, allowing the resulting workspace path to
escape the configured disk mount point.

This allows attackers with Item/Configure permission to read arbitrary
files on the Jenkins controller file system, which can lead to remote code
execution.


SECURITY-3697 (1) / CVE-2026-57297 (missing permission check) &
CVE-2026-57298 (CSRF)
Contrast Continuous Application Security Plugin 3.11 and earlier does not
perform a permission check in an HTTP endpoint that tests the connection to
a Contrast TeamServer.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using an attacker-specified username, API key, and
service key.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.


SECURITY-3697 (2) / CVE-2026-57299
Contrast Continuous Application Security Plugin 3.11 and earlier does not
perform permission checks in several HTTP endpoints that fill list box
options with the names of the configured Contrast metadata.

This allows attackers with Overall/Read permission to enumerate the names
of configured Contrast metadata.


SECURITY-3649 / CVE-2026-57301
OWASP ZAP Plugin 1.0.7 and earlier does not support distributed builds,
causing the file operations and build process of its "Automatically build
ZAP" feature to be performed on the Jenkins controller rather than on the
agent the build is assigned to.

This allows attackers with Item/Configure permission to configure the
feature to build an attacker-controlled project, executing arbitrary code
on the Jenkins controller and bypassing any restriction confining the build
to a specific agent.

As of publication of this advisory, there is no fix.


SECURITY-3555 / CVE-2026-57302
FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job
`config.xml` files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission
or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-3692 (1) / CVE-2026-57303
Assembla Plugin 1.4 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks when parsing responses from the
configured Assembla server.

This allows attackers able to control the responses of the configured
Assembla server to extract secrets from the Jenkins controller or perform
server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-3692 (2) / CVE-2026-57304 (missing permission check) &
CVE-2026-57305 (CSRF)
Assembla Plugin 1.4 and earlier does not perform a permission check in an
HTTP endpoint that tests the connection to an Assembla server.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using an attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

NOTE: This does not allow exploiting the XML external entity (XXE)
vulnerability described in the previous advisory entry.

As of publication of this advisory, there is no fix.


SECURITY-3747 / CVE-2026-57306 (CSRF) & CVE-2026-57307 (missing permission
check)
Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier does not perform a
permission check in an HTTP endpoint implementing a connection test.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

-- 
CONFIDENTIALITY NOTICE:_ This email and any attachments contain 
confidential and proprietary information of CloudBees intended only for the 
named recipient(s). Unauthorized use or distribution is prohibited. If you 
received this in error, please notify the sender and delete this email._

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.