This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war.
This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat.
Jenkins 2.523 and earlier, LTS 2.516.2 and earlier bundles versions of Jetty affected by the security vulnerability CVE-2025-5115 ("MadeYouReset"). This vulnerability allows unauthenticated attackers to cause a denial of service.
This only affects instances that enable HTTP/2, typically using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files.
It is disabled by default in all native installers and the Docker images provided by the Jenkins project.
|
Jenkins 2.524, LTS 2.516.3 updates the bundled Jetty to version 12.0.25, which is unaffected by these issues.
Administrators unable to update to these releases of Jenkins (or newer) are advised to disable HTTP/2.
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission.
This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
Jenkins 2.528, LTS 2.516.3 removes the sidepanel from the affected view.
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed).
Jenkins 2.528, LTS 2.516.3 requires Overall/Read permission to list various items in authenticated user profile dropdown menus.
In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output (including jenkins.log and equivalent) does not restrict or transform the characters that can be inserted from user-specified content in log messages.
This allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.
Jenkins 2.528, LTS 2.516.3 adds an indicator at the beginning of a line that was inserted as part of log message content: [CR], [LF], or [CRLF] (representing the kind of line break), followed by > .
It is still possible to inject a number of characters into log output that can mislead viewers.
Characters like ASCII BS (backspace) may result in log viewers hiding content, while Unicode-enabled log viewers may be misled by "Trojan Source" characters.
It is recommended to use a log/text viewer that highlights unusual characters like those in its output.
|
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: