HIGH✓ PATCH🇵🇱 Wersja polska

CVE-2026-33002

CVSS 7.5v3.1pub. 2026-03-18upd. 2026-03-21

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Jenkins

    APP
    Jenkins
    2.426.3 – 2.541.3 (bez)2.442 – 2.555 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
CI/CD
CWE
References

Related vulnerabilities

CVE-2024-23897CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Jenkins CLI – odczyt dowolnych plików przez path traversal bez uwierzytelnienia

CVE-2018-1000861CRITICAL9.8⚠ KEVten sam produkt

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.13...

CVE-2017-1000353CRITICAL9.8⚠ KEVten sam produkt

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remot...

CVE-2023-27898CRITICAL9.6ten sam produkt

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the...

CVE-2021-21685CRITICAL9.1ten sam produkt

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent ...