jenkins-core-2.426.3.jar: 34 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - jenkins-core-2.426.3.jar

Jenkins core code and view files to render HTML.

Library home page: https://github.com/jenkinsci/jenkins

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.426.3/eee94c4c0c78e715d2a599eb66a5a89c5eed9d18/jenkins-core-2.426.3.jar

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (jenkins-core version)	Remediation Possible**
CVE-2016-1000027	Critical	9.8	spring-web-5.3.29.jar	Transitive	N/A*	❌
CVE-2024-38821	Critical	9.1	spring-security-web-5.8.7.jar	Transitive	N/A*	❌
CVE-2025-48734	High	8.8	commons-beanutils-1.9.4.jar	Transitive	N/A*	❌
CVE-2024-43044	High	8.8	jenkins-core-2.426.3.jar	Direct	org.jenkins-ci.main:jenkins-core:no_fix,org.jenkins-ci.main:jenkins-core:2.452.4,2.462.1,2.471	✅
CVE-2024-22257	High	8.2	spring-security-core-5.8.7.jar	Transitive	N/A*	❌
CVE-2024-25710	High	8.1	commons-compress-1.24.0.jar	Transitive	N/A*	❌
CVE-2024-22262	High	8.1	spring-web-5.3.29.jar	Transitive	N/A*	❌
CVE-2024-22259	High	8.1	spring-web-5.3.29.jar	Transitive	N/A*	❌
CVE-2024-22243	High	8.1	spring-web-5.3.29.jar	Transitive	N/A*	❌
CVE-2025-48976	High	7.5	commons-fileupload-1.5.jar	Transitive	N/A*	❌
CVE-2025-41249	High	7.5	spring-core-5.3.29.jar	Transitive	N/A*	❌
CVE-2024-47072	High	7.5	xstream-1.4.20.jar	Transitive	N/A*	❌
CVE-2025-22228	High	7.4	spring-security-crypto-5.8.7.jar	Transitive	N/A*	❌
CVE-2024-43045	Medium	6.3	jenkins-core-2.426.3.jar	Direct	org.jenkins-ci.main:jenkins-core:2.452.4,2.462.1,2.471	✅
CVE-2025-41242	Medium	5.9	spring-beans-5.3.29.jar	Transitive	N/A*	❌
CVE-2024-26308	Medium	5.5	commons-compress-1.24.0.jar	Transitive	N/A*	❌
CVE-2025-27624	Medium	5.4	jenkins-core-2.426.3.jar	Direct	2.492.2,jenkins-2.500,jenkins-2.492.2,2.500	✅
CVE-2025-59476	Medium	5.3	jenkins-core-2.426.3.jar	Direct	org.jenkins-ci.main:jenkins-core:2.516.3,org.jenkins-ci.main:jenkins-core:2.528	✅
CVE-2025-59474	Medium	5.3	jenkins-core-2.426.3.jar	Direct	2.516.3	✅
CVE-2025-48924	Medium	5.3	commons-lang-2.6.jar	Transitive	N/A*	❌
CVE-2024-38809	Medium	5.3	spring-web-5.3.29.jar	Transitive	N/A*	❌
CVE-2024-38827	Medium	4.8	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2025-59475	Medium	4.3	jenkins-core-2.426.3.jar	Direct	org.jenkins-ci.main:jenkins-core:2.528,org.jenkins-ci.main:jenkins-core:2.516.3	✅
CVE-2025-31721	Medium	4.3	jenkins-core-2.426.3.jar	Direct	org.jenkins-ci.main:jenkins-core:2.492.3,org.jenkins-ci.main:jenkins-core:2.504,https://github.com/jenkinsci/jenkins.git - jenkins-2.504,https://github.com/jenkinsci/jenkins.git - jenkins-2.492.3	✅
CVE-2025-31720	Medium	4.3	jenkins-core-2.426.3.jar	Direct	org.jenkins-ci.main:jenkins-core:2.492.3,org.jenkins-ci.main:jenkins-core:2.504,https://github.com/jenkinsci/jenkins.git - jenkins-2.504,https://github.com/jenkinsci/jenkins.git - jenkins-2.492.3	✅
CVE-2025-27625	Medium	4.3	jenkins-core-2.426.3.jar	Direct	2.492.2,jenkins-2.500,2.500,jenkins-2.492.2	✅
CVE-2025-27623	Medium	4.3	jenkins-core-2.426.3.jar	Direct	jenkins-2.492.2,2.500,jenkins-2.500,2.492.2	✅
CVE-2025-27622	Medium	4.3	jenkins-core-2.426.3.jar	Direct	2.500,jenkins-2.492.2,jenkins-2.500,2.492.2	✅
CVE-2024-47804	Medium	4.3	jenkins-core-2.426.3.jar	Direct	org.jenkins-ci.main:jenkins-core:2.462.3,2.479,org.jenkins-ci.main:jenkins-core:no_fix	✅
CVE-2024-47803	Medium	4.3	jenkins-core-2.426.3.jar	Direct	org.jenkins-ci.main:jenkins-core:2.462.3,2.479	✅
CVE-2024-47554	Medium	4.3	commons-io-2.13.0.jar	Transitive	N/A*	❌
CVE-2024-38808	Medium	4.3	spring-expression-5.3.29.jar	Transitive	N/A*	❌
CVE-2025-22233	Low	3.1	spring-context-5.3.29.jar	Transitive	N/A*	❌
CVE-2024-38820	Low	3.1	spring-context-5.3.29.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2016-1000027

Vulnerable Library - spring-web-5.3.29.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.29/4cd333e48d9a05d05c05ae7426242ecfe4cfb681/spring-web-5.3.29.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • ❌ spring-web-5.3.29.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4wrc-f8pq-fpqp

Release Date: 2020-01-02

Fix Resolution: org.springframework:spring-web:6.0.0

CVE-2024-38821

Vulnerable Library - spring-security-web-5.8.7.jar

Spring Security

Library home page: https://spring.io/projects/spring-security

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-web/5.8.7/b28db4ea3fb69adf99d2a10e61b55c5869518193/spring-security-web-5.8.7.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • ❌ spring-security-web-5.8.7.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.
For this to impact an application, all of the following must be true: It must be a WebFlux application, It must be using Spring's static resources support, and it must have a non-permitAll authorization rule applied to the static resources support.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-10-28

URL: CVE-2024-38821

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c4q5-6c82-3qpw

Release Date: 2024-10-28

Fix Resolution: org.springframework.security:spring-security-web:6.3.4,org.springframework.security:spring-security-web:5.8.15,org.springframework.security:spring-security-web:6.2.7,https://github.com/spring-projects/spring-security.git - 5.7.13,https://github.com/spring-projects/spring-security.git - 5.8.15,https://github.com/spring-projects/spring-security.git - 6.2.7,org.springframework.security:spring-security-web:5.7.13,https://github.com/spring-projects/spring-security.git - 6.3.4

CVE-2025-48734

Vulnerable Library - commons-beanutils-1.9.4.jar

Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/commons-beanutils/commons-beanutils/1.9.4/d52b9abcd97f38c81342bb7e7ae1eee9b73cba51/commons-beanutils-1.9.4.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • ❌ commons-beanutils-1.9.4.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.
This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
Users of the artifact org.apache.commons:commons-beanutils2
2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

Publish Date: 2025-05-28

URL: CVE-2025-48734

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wxr5-93ph-8wr9

Release Date: 2025-05-28

Fix Resolution: https://github.com/apache/commons-beanutils.git - commons-beanutils-2.0.0-M2-RC1,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-2.0.0-M2,https://github.com/apache/commons-beanutils.git - rel/commons-beanutils-1.11.0,org.apache.commons:commons-beanutils2:2.0.0-M2,commons-beanutils:commons-beanutils:1.11.0

CVE-2024-43044

Vulnerable Library - jenkins-core-2.426.3.jar

Jenkins core code and view files to render HTML.

Library home page: https://github.com/jenkinsci/jenkins

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.426.3/eee94c4c0c78e715d2a599eb66a5a89c5eed9d18/jenkins-core-2.426.3.jar

Dependency Hierarchy:

• ❌ jenkins-core-2.426.3.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the "ClassLoaderProxy#fetchJar" method in the Remoting library.

Publish Date: 2024-08-07

URL: CVE-2024-43044

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-43044

Release Date: 2024-08-07

Fix Resolution: org.jenkins-ci.main:jenkins-core:no_fix,org.jenkins-ci.main:jenkins-core:2.452.4,2.462.1,2.471

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-22257

Vulnerable Library - spring-security-core-5.8.7.jar

Spring Security

Library home page: https://spring.io/projects/spring-security

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-core/5.8.7/916c9b391ef6e606806dbe2fc9c8b4ff5a853cdf/spring-security-core-5.8.7.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • ❌ spring-security-core-5.8.7.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8,
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

Publish Date: 2024-03-18

URL: CVE-2024-22257

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f3jh-qvm4-mg39

Release Date: 2024-03-18

Fix Resolution: org.springframework.security:spring-security-core:5.8.11,org.springframework.security:spring-security-core:6.2.3,org.springframework.security:spring-security-core:5.7.12,org.springframework.security:spring-security-core:6.1.8

CVE-2024-25710

Vulnerable Library - commons-compress-1.24.0.jar

Apache Commons Compress defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.24.0/b4b1b5a3d9573b2970fddab236102c0a4d27d35e/commons-compress-1.24.0.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • ❌ commons-compress-1.24.0.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-02-19

URL: CVE-2024-25710

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

CVE-2024-22262

Vulnerable Library - spring-web-5.3.29.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.29/4cd333e48d9a05d05c05ae7426242ecfe4cfb681/spring-web-5.3.29.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • ❌ spring-web-5.3.29.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-04-16

URL: CVE-2024-22262

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22262

Release Date: 2024-04-16

Fix Resolution: org.springframework:spring-web:5.3.34;6.0.19,6.1.6

CVE-2024-22259

Vulnerable Library - spring-web-5.3.29.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.29/4cd333e48d9a05d05c05ae7426242ecfe4cfb681/spring-web-5.3.29.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • ❌ spring-web-5.3.29.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-03-16

URL: CVE-2024-22259

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22259

Release Date: 2024-03-16

Fix Resolution: org.springframework:spring-web:5.3.33,6.0.18,6.1.5

CVE-2024-22243

Vulnerable Library - spring-web-5.3.29.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.29/4cd333e48d9a05d05c05ae7426242ecfe4cfb681/spring-web-5.3.29.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • ❌ spring-web-5.3.29.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

Publish Date: 2024-02-23

URL: CVE-2024-22243

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22243

Release Date: 2024-02-23

Fix Resolution: org.springframework:spring-web:5.3.32,6.0.17,6.1.4

CVE-2025-48976

Vulnerable Library - commons-fileupload-1.5.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.5/ad4ad2ab2961b4e1891472bd1a33fabefb0385f3/commons-fileupload-1.5.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • ❌ commons-fileupload-1.5.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-16

URL: CVE-2025-48976

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-15

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.106,org.apache.tomcat:tomcat-coyote:10.1.42,org.apache.tomcat.embed:tomcat-embed-core:10.1.42,https://github.com/apache/tomcat.git - 11.0.8,org.apache.tomcat:tomcat-coyote:11.0.8,org.apache.tomcat.embed:tomcat-embed-core:11.0.8,org.apache.tomcat:tomcat-coyote:9.0.106,https://github.com/apache/tomcat.git - 9.0.106,https://github.com/apache/tomcat.git - 10.1.42,https://github.com/apache/commons-fileupload.git - rel/commons-fileupload-2.0.0-M4,https://github.com/apache/commons-fileupload.git - rel/commons-fileupload-1.6.0,org.apache.commons:commons-fileupload2:2.0.0-M4,commons-fileupload:commons-fileupload:1.6.0

CVE-2025-41249

Vulnerable Library - spring-core-5.3.29.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.29/528eafe4cef7bccf3df290dd99ac5833a9756183/spring-core-5.3.29.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • ❌ spring-core-5.3.29.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-16

URL: CVE-2025-41249

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41249

Release Date: 2025-09-14

Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11

CVE-2024-47072

Vulnerable Library - xstream-1.4.20.jar

Library home page: http://x-stream.github.io

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.20/e2315b8b2e95e9f21697833c8e56cdd9c98a5ee/xstream-1.4.20.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • ❌ xstream-1.4.20.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.

Publish Date: 2024-11-07

URL: CVE-2024-47072

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-47072

Release Date: 2024-11-07

Fix Resolution: com.thoughtworks.xstream:xstream - 1.4.21

CVE-2025-22228

Vulnerable Library - spring-security-crypto-5.8.7.jar

Spring Security

Library home page: https://spring.io/projects/spring-security

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.security/spring-security-crypto/5.8.7/d69ea3cac23fa4c567f342180cd7150d06de5e6b/spring-security-crypto-5.8.7.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • spring-security-core-5.8.7.jar
      • ❌ spring-security-crypto-5.8.7.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

Publish Date: 2025-03-20

URL: CVE-2025-22228

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-22228

Release Date: 2025-03-20

Fix Resolution: https://github.com/spring-projects/spring-security.git - 6.4.4,https://github.com/spring-projects/spring-security.git - 6.3.8,org.springframework.security:spring-security-crypto:6.4.4,org.springframework.security:spring-security-crypto:6.3.8

CVE-2024-43045

Vulnerable Library - jenkins-core-2.426.3.jar

Jenkins core code and view files to render HTML.

Library home page: https://github.com/jenkinsci/jenkins

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.426.3/eee94c4c0c78e715d2a599eb66a5a89c5eed9d18/jenkins-core-2.426.3.jar

Dependency Hierarchy:

• ❌ jenkins-core-2.426.3.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views".

Publish Date: 2024-08-07

URL: CVE-2024-43045

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2024-08-07/

Release Date: 2024-08-07

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.452.4,2.462.1,2.471

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-41242

Vulnerable Library - spring-beans-5.3.29.jar

Spring Beans

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.29/be40f557f3fa52c703f00e127ff639f8cf499617/spring-beans-5.3.29.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • ❌ spring-beans-5.3.29.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:

• the application is deployed as a WAR or with an embedded Servlet container
• the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization
• the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling
  We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

Publish Date: 2025-08-18

URL: CVE-2025-41242

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-18

Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.10,org.springframework:spring-beans:6.2.10

CVE-2024-26308

Vulnerable Library - commons-compress-1.24.0.jar

Apache Commons Compress defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.24.0/b4b1b5a3d9573b2970fddab236102c0a4d27d35e/commons-compress-1.24.0.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • ❌ commons-compress-1.24.0.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.
Users are recommended to upgrade to version 1.26, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-02-19

URL: CVE-2024-26308

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-26308

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

CVE-2025-27624

Vulnerable Library - jenkins-core-2.426.3.jar

Jenkins core code and view files to render HTML.

Library home page: https://github.com/jenkinsci/jenkins

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.426.3/eee94c4c0c78e715d2a599eb66a5a89c5eed9d18/jenkins-core-2.426.3.jar

Dependency Hierarchy:

• ❌ jenkins-core-2.426.3.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets).

Publish Date: 2025-03-05

URL: CVE-2025-27624

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3498

Release Date: 2025-03-05

Fix Resolution: 2.492.2,jenkins-2.500,jenkins-2.492.2,2.500

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-59476

Vulnerable Library - jenkins-core-2.426.3.jar

Jenkins core code and view files to render HTML.

Library home page: https://github.com/jenkinsci/jenkins

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.426.3/eee94c4c0c78e715d2a599eb66a5a89c5eed9d18/jenkins-core-2.426.3.jar

Dependency Hierarchy:

• ❌ jenkins-core-2.426.3.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict or transform the characters that can be inserted from user-specified content in log messages, allowing attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.

Publish Date: 2025-09-17

URL: CVE-2025-59476

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3424

Release Date: 2025-09-17

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.516.3,org.jenkins-ci.main:jenkins-core:2.528

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-59474

Vulnerable Library - jenkins-core-2.426.3.jar

Jenkins core code and view files to render HTML.

Library home page: https://github.com/jenkinsci/jenkins

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.426.3/eee94c4c0c78e715d2a599eb66a5a89c5eed9d18/jenkins-core-2.426.3.jar

Dependency Hierarchy:

• ❌ jenkins-core-2.426.3.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.

Publish Date: 2025-09-17

URL: CVE-2025-59474

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-67v4-38h7-9jjp

Release Date: 2025-09-17

Fix Resolution: 2.516.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-48924

Vulnerable Library - commons-lang-2.6.jar

Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

Library home page: http://www.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/commons-lang/commons-lang/2.6/ce1edb914c94ebc388f086c6827e8bdeec71ac2/commons-lang-2.6.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • ❌ commons-lang-2.6.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-07-11

URL: CVE-2025-48924

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-07-11

Fix Resolution: https://github.com/apache/commons-lang.git - commons-lang-3.18.0,org.apache.commons:commons-lang3:3.18.0

CVE-2024-38809

Vulnerable Library - spring-web-5.3.29.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.29/4cd333e48d9a05d05c05ae7426242ecfe4cfb681/spring-web-5.3.29.jar

Dependency Hierarchy:

• jenkins-core-2.426.3.jar (Root Library)
  • spring-security-web-5.8.7.jar
    • ❌ spring-web-5.3.29.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

Publish Date: 2024-09-27

URL: CVE-2024-38809

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38809

Release Date: 2024-09-27

Fix Resolution: org.springframework:spring-web:5.3.38,6.0.23,6.1.12

---

⛑️Automatic Remediation will be attempted for this issue.