Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1901

NIXPKGS-2026-1901
published 14 hours ago
Jenkins: security issues < 2.555.3
Permalink CVE-2026-53436
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    7 packages
    • jenkins-job-builder
    • python313Packages.jenkinsapi
    • python314Packages.jenkinsapi
    • python313Packages.python-jenkins
    • python314Packages.python-jenkins
    • python313Packages.jenkins-job-builder
    • python314Packages.jenkins-job-builder
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines …

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.

References

Affected products

Jenkins
  • *
  • <2.555.*

Matching in nixpkgs

Ignored packages (7)

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

Package maintainers

Permalink CVE-2026-53440
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    7 packages
    • jenkins-job-builder
    • python313Packages.jenkinsapi
    • python314Packages.jenkinsapi
    • python313Packages.python-jenkins
    • python314Packages.python-jenkins
    • python313Packages.jenkins-job-builder
    • python314Packages.jenkins-job-builder
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not …

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.

References

Affected products

Jenkins
  • *
  • <2.555.*

Matching in nixpkgs

Ignored packages (7)

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

Package maintainers

Permalink CVE-2026-53437
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    7 packages
    • jenkins-job-builder
    • python313Packages.jenkinsapi
    • python314Packages.jenkinsapi
    • python313Packages.python-jenkins
    • python314Packages.python-jenkins
    • python313Packages.jenkins-job-builder
    • python314Packages.jenkins-job-builder
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines …

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.

References

Affected products

Jenkins
  • *
  • <2.555.*

Matching in nixpkgs

Ignored packages (7)

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

Package maintainers

Permalink CVE-2026-53435
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    7 packages
    • jenkins-job-builder
    • python313Packages.jenkinsapi
    • python314Packages.jenkinsapi
    • python313Packages.python-jenkins
    • python314Packages.python-jenkins
    • python313Packages.jenkins-job-builder
    • python314Packages.jenkins-job-builder
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it …

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

References

Affected products

Jenkins
  • *
  • <2.555.*

Matching in nixpkgs

Ignored packages (7)

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

Package maintainers

Permalink CVE-2026-53442
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    7 packages
    • jenkins-job-builder
    • python313Packages.jenkinsapi
    • python314Packages.jenkinsapi
    • python313Packages.python-jenkins
    • python314Packages.python-jenkins
    • python313Packages.jenkins-job-builder
    • python314Packages.jenkins-job-builder
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not …

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.

References

Affected products

Jenkins
  • *
  • <2.555.*

Matching in nixpkgs

Ignored packages (7)

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

Package maintainers

Permalink CVE-2026-53441
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    7 packages
    • jenkins-job-builder
    • python313Packages.jenkinsapi
    • python314Packages.jenkinsapi
    • python313Packages.python-jenkins
    • python314Packages.python-jenkins
    • python313Packages.jenkins-job-builder
    • python314Packages.jenkins-job-builder
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 …

Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

References

Affected products

Jenkins
  • <2.483
  • *
  • <2.555.*

Matching in nixpkgs

Ignored packages (7)

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

Package maintainers

Permalink CVE-2026-53438
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    7 packages
    • jenkins-job-builder
    • python313Packages.jenkinsapi
    • python314Packages.jenkinsapi
    • python313Packages.python-jenkins
    • python314Packages.python-jenkins
    • python313Packages.jenkins-job-builder
    • python314Packages.jenkins-job-builder
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
A missing permission check in Jenkins 2.567 and earlier, LTS …

A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.

References

Affected products

Jenkins
  • *
  • <2.555.*

Matching in nixpkgs

Ignored packages (7)

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

Package maintainers

Permalink CVE-2026-53439
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    7 packages
    • jenkins-job-builder
    • python313Packages.jenkinsapi
    • python314Packages.jenkinsapi
    • python313Packages.python-jenkins
    • python314Packages.python-jenkins
    • python313Packages.jenkins-job-builder
    • python314Packages.jenkins-job-builder
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 …

Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".

References

Affected products

Jenkins
  • *
  • <2.555.*

Matching in nixpkgs

Ignored packages (7)

pkgs.jenkins-job-builder

Jenkins Job Builder is a system for configuring Jenkins jobs using simple YAML files stored in Git

Package maintainers