Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN182
_____________________________________________________________________

DATE                : 18/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins (core) versions prior
                              to weekly 2.551, LTS 2.541.2.

=====================================================================
https://www.jenkins.io/security/advisory/2026-02-18/
_____________________________________________________________________

 Jenkins Security Advisory 2026-02-18

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Jenkins (core)

Descriptions
Stored XSS vulnerability in node offline cause description
SECURITY-3669 / CVE-2026-27099
Severity (CVSS): High
Description:

Since Jenkins 2.483, the description of the reason why a node is
offline (the "offline cause") is defined as containing HTML and
rendered as such.

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier does not escape
the user-provided description of the "Mark temporarily offline"
offline cause.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Agent/Configure or Agent/Disconnect
permission.

Jenkins 2.551, LTS 2.541.2 escapes the user-provided description
of the "Mark temporarily offline" offline cause.

	On Jenkins 2.539 and newer, including LTS 2.541.1, enforcing
Content Security Policy protection mitigates this vulnerability.
	This vulnerability has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.


Build information disclosure vulnerability through Run Parameter
SECURITY-3658 / CVE-2026-27100
Severity (CVSS): Medium
Description:

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run
Parameter values that refer to builds the user submitting the build
does not have access to. This allows attackers with Item/Build and
Item/Configure permission to obtain information about the existence
of jobs, the existence of builds, and if a specified build exists,
its display name.

Jenkins 2.551, LTS 2.541.2 rejects Run Parameter values that refer
to builds the user submitting the build does not have access to
(either because they do not exist, or because the user does not have
permission to access them).

	This vulnerability has been reported through the Jenkins Bug
Bounty Program sponsored by the European Commission.


Severity

    SECURITY-3658: Medium
    SECURITY-3669: High

Affected Versions

    Jenkins weekly up to and including 2.550
    Jenkins LTS up to and including 2.541.1

Fix

    Jenkins weekly should be updated to version 2.551
    Jenkins LTS should be updated to version 2.541.2

These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Muhammed Niazy (Wolfman) for SECURITY-3669
    Suman Roy (https://sumanroy.in) for SECURITY-3658


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================