Jenkins Vulnerabilities Allow Code Execution and Info Disclosure
Summary
CERT-Bund has issued a security advisory for Jenkins, detailing multiple vulnerabilities with a high CVSS base score. These vulnerabilities allow attackers to execute arbitrary code, bypass security measures, and disclose confidential information. Affected versions include Jenkins weekly <2.555 and Jenkins LTS <2.541.3.
What changed
CERT-Bund has released Security Advisory WID-SEC-2026-0779 concerning critical vulnerabilities in Jenkins. The advisory highlights multiple flaws that, if exploited, could lead to arbitrary code execution, security bypass, and unauthorized disclosure of sensitive information. The vulnerabilities affect Jenkins weekly versions prior to 2.555 and Jenkins LTS versions prior to 2.541.3, as well as the Jenkins LoadNinja Plugin version <2.2. The advisory notes a high CVSS base score of 8.8, indicating a significant security risk.
Organizations utilizing affected Jenkins versions must take immediate action to mitigate these risks. Recommended actions include updating Jenkins to the patched versions (Jenkins weekly >=2.555 and Jenkins LTS >=2.541.3) or applying available mitigations if immediate patching is not feasible. Failure to address these vulnerabilities could result in severe security breaches, including system compromise and data exfiltration. The advisory provides links to CVE information and version history for further details.
What to do next
- Update Jenkins weekly to version 2.555 or later.
- Update Jenkins LTS to version 2.541.3 or later.
- Apply available mitigations if immediate patching is not possible.
Source document (simplified)
[WID-SEC-2026-0779] Jenkins: Mehrere Schwachstellen CVSS Base Score 8.8 (hoch) CVSS Temporal Score 7.7 (hoch) Remoteangriff ja Datum 18.03.2026 Stand 19.03.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Sonstiges
- UNIX
- Windows
Produktbeschreibung
Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterstützung bei Softwareentwicklungen aller Art.
Produkte
18.03.2026
- Jenkins Jenkins weekly <2.555
Jenkins Jenkins LTS <2.541.3
Jenkins Jenkins LoadNinja Plugin <2.2
Angriff
Angriff
Ein Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsmaßnahmen zu umgehen oder vertrauliche Informationen offenzulegen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.