BIT-jenkins-2026-53435

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/jenkins/BIT-jenkins-2026-53435.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-jenkins-2026-53435

Aliases

CVE-2026-53435

Published

2026-06-12T08:43:04.164Z

Modified

2026-06-13T09:15:05.200348227Z

Summary

[none]

Details

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled config.xml submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

Database specific

{
    "cpes": [
        "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*",
        "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*",
        "cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:maven:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / jenkins

Package

Name: jenkins
Purl: pkg:bitnami/jenkins

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.555.3

Introduced

2.556.0

Fixed

2.568.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/jenkins/BIT-jenkins-2026-53435.json"