Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN447 _____________________________________________________________________ DATE : 30/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Credentials Binding Plugin for Jenkins, GitHub Plugin for Jenkins, GitHub Branch Source Plugin for Jenkins, HTML Publisher Plugin for Jenkins, Matrix Authorization Strategy Plugin for Jenkins, Microsoft Entra ID (previously Azure AD) Plugin for Jenkins, Script Security Plugin for Jenkins. ===================================================================== https://www.jenkins.io/security/advisory/2026-04-29/ _____________________________________________________________________ Jenkins Security Advisory 2026-04-29 This advisory announces vulnerabilities in the following Jenkins deliverables: Credentials Binding Plugin GitHub Plugin GitHub Branch Source Plugin HTML Publisher Plugin Matrix Authorization Strategy Plugin Microsoft Entra ID (previously Azure AD) Plugin Script Security Plugin Descriptions Missing permission check in Script Security Plugin allows enumerating pending and approved classpaths SECURITY-3662 / CVE-2026-42519 Severity (CVSS): Medium Affected plugin: script-security Description: Script Security Plugin 1399.ve6a_66547f6e1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. Script Security Plugin 1402.v94c9ce464861 requires Overall/Administer permission to enumerate pending and approved Script Security classpaths. This vulnerability has been reported through the Jenkins Bug Bounty Program sponsored by the European Commission. Path traversal vulnerability in Credentials Binding Plugin SECURITY-3672 / CVE-2026-42520 Severity (CVSS): High Affected plugin: credentials-binding Description: Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node, this can lead to remote code execution. Credentials Binding Plugin 720.v3f6decef43ea_ sanitizes the file name provided for file and zip file credentials, preventing path traversal. This vulnerability has been reported through the Jenkins Bug Bounty Program sponsored by the European Commission. Unsafe deserialization allows invoking parameterless constructors in Matrix Authorization Strategy Plugin SECURITY-3676 / CVE-2026-42521 Severity (CVSS): Medium Affected plugin: matrix-auth Description: Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath. Matrix Authorization Strategy Plugin 3.2.10 verifies that the class being instantiated is an inheritance strategy implementation, preventing instantiation of arbitrary types. This vulnerability has been reported through the Jenkins Bug Bounty Program sponsored by the European Commission. Missing permission check in GitHub Branch Source Plugin allows performing a connection test SECURITY-3702 / CVE-2026-42522 Severity (CVSS): Medium Affected plugin: github-branch-source Description: GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials. GitHub Branch Source Plugin 1967.1969.v205fd594c821 requires Overall/Manage permission to perform the connection test. This vulnerability has been reported through the Jenkins Bug Bounty Program sponsored by the European Commission. XSS vulnerability in GitHub Plugin SECURITY-3704 / CVE-2026-42523 Severity (CVSS): High Affected plugin: github Description: GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling". This results in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission. GitHub Plugin 1.46.0.1 no longer processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling". This vulnerability has been reported through the Jenkins Bug Bounty Program sponsored by the European Commission. XSS vulnerability in legacy wrapper file in HTML Publisher Plugin SECURITY-3706 / CVE-2026-42524 Severity (CVSS): High Affected plugin: htmlpublisher Description: HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. HTML Publisher Plugin 427.1 escapes job name and URL when generating the legacy wrapper file. This fix only applies to newly generated wrappers. On Jenkins 2.539 and newer, LTS 2.541.1 and newer, enforcing Content Security Policy protection mitigates this vulnerability. This vulnerability has been reported through the Jenkins Bug Bounty Program sponsored by the European Commission. Open redirect vulnerability in Microsoft Entra ID (previously Azure AD) Plugin SECURITY-3760 / CVE-2026-42525 Severity (CVSS): Medium Affected plugin: azure-ad Description: Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. Microsoft Entra ID (previously Azure AD) Plugin 667.v4c5827a_e74a_0 only redirects to relative (Jenkins) URLs. Severity SECURITY-3662: Medium SECURITY-3672: High SECURITY-3676: Medium SECURITY-3702: Medium SECURITY-3704: High SECURITY-3706: High SECURITY-3760: Medium Affected Versions Credentials Binding Plugin up to and including 719.v80e905ef14eb_ GitHub Plugin up to and including 1.46.0 GitHub Branch Source Plugin up to and including 1967.vdea_d580c1a_b_a_ HTML Publisher Plugin up to and including 427 Matrix Authorization Strategy Plugin up to and including 3.2.9 Microsoft Entra ID (previously Azure AD) Plugin up to and including 666.v6060de32f87d Script Security Plugin up to and including 1399.ve6a_66547f6e1 Fix Credentials Binding Plugin should be updated to version 720.v3f6decef43ea_ GitHub Plugin should be updated to version 1.46.0.1 GitHub Branch Source Plugin should be updated to version 1967.1969.v205fd594c821 HTML Publisher Plugin should be updated to version 427.1 Matrix Authorization Strategy Plugin should be updated to version 3.2.10 Microsoft Entra ID (previously Azure AD) Plugin should be updated to version 667.v4c5827a_e74a_0 Script Security Plugin should be updated to version 1402.v94c9ce464861 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Ap4sh - Samy Medjahed for SECURITY-3662, SECURITY-3702 Ap4sh - Samy Medjahed; and, independently, Dholland2022; and Muhamad Billy Sakti Baraja for SECURITY-3672 Arafat Ul Islam (elaichix), Cybersecurity Researcher, IUBAT, Bangladesh for SECURITY-3676 dqh1 for SECURITY-3704 dyingman1 (https://github.com/dyingman1, redpoc Offensive Security Team) for SECURITY-3760 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================