Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-33001

created 2 months ago Activity log

Created suggestion 2 months ago

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not …

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

References

Jenkins Security Advisory 2026-03-18 vendor-advisory

Affected products

Jenkins

<2.541.*
*

Matching in nixpkgs

pkgs.jenkins

Extendable open source continuous integration server

nixos-unstable 2.541.2
- nixpkgs-unstable 2.541.2
- nixos-unstable-small 2.541.2
nixos-25.11 2.541.2
- nixos-25.11-small 2.541.2
- nixpkgs-25.11-darwin 2.541.2

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

nixos-unstable 6.4.4
- nixpkgs-unstable 6.4.4
- nixos-unstable-small 6.4.4
nixos-25.11 6.4.2
- nixos-25.11-small 6.4.2
- nixpkgs-25.11-darwin 6.4.2

pkgs.python312Packages.jenkinsapi

Python API for accessing resources on a Jenkins continuous-integration server

nixos-25.11 0.3.15
- nixos-25.11-small 0.3.15
- nixpkgs-25.11-darwin 0.3.15

pkgs.python313Packages.jenkinsapi

Python API for accessing resources on a Jenkins continuous-integration server

nixos-unstable 0.3.17
- nixpkgs-unstable 0.3.17
- nixos-unstable-small 0.3.17
nixos-25.11 0.3.15
- nixos-25.11-small 0.3.15
- nixpkgs-25.11-darwin 0.3.15

pkgs.python314Packages.jenkinsapi

Python API for accessing resources on a Jenkins continuous-integration server

nixos-unstable 0.3.17
- nixpkgs-unstable 0.3.17
- nixos-unstable-small 0.3.17

pkgs.python312Packages.python-jenkins

Python bindings for the remote Jenkins API

nixos-25.11 1.8.3
- nixos-25.11-small 1.8.3
- nixpkgs-25.11-darwin 1.8.3

pkgs.python313Packages.python-jenkins

Python bindings for the remote Jenkins API

nixos-unstable 1.8.3
- nixpkgs-unstable 1.8.3
- nixos-unstable-small 1.8.3
nixos-25.11 1.8.3
- nixos-25.11-small 1.8.3
- nixpkgs-25.11-darwin 1.8.3

pkgs.python314Packages.python-jenkins

Python bindings for the remote Jenkins API

nixos-unstable 1.8.3
- nixpkgs-unstable 1.8.3
- nixos-unstable-small 1.8.3

pkgs.python312Packages.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

nixos-25.11 6.4.2
- nixos-25.11-small 6.4.2
- nixpkgs-25.11-darwin 6.4.2

pkgs.python313Packages.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

nixos-unstable 6.4.4
- nixpkgs-unstable 6.4.4
- nixos-unstable-small 6.4.4
nixos-25.11 6.4.2
- nixos-25.11-small 6.4.2
- nixpkgs-25.11-darwin 6.4.2

pkgs.python314Packages.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

nixos-unstable 6.4.4
- nixpkgs-unstable 6.4.4
- nixos-unstable-small 6.4.4

Package maintainers

@coreyoconnor Corey O'Connor <coreyoconnor@gmail.com>
@NeQuissimus Tim Steinbach <tim@nequissimus.com>
@earldouglas James Earl Douglas <james@earldouglas.com>
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>
@de11n Elliot Cameron <nixpkgs-commits@deshaw.com>
@invokes-su Souvik Sen <nixpkgs-commits@deshaw.com>
@drets Dmytro Rets <dmitryrets@gmail.com>
@gador Florian Brandes <florian.brandes@posteo.de>
@despsyched Priyanshu Tripathi <priyanshu.tripathi@deshaw.com>