Ce mail provient de l'extérieur, restons vigilants

5=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN554
_____________________________________________________________________

DATE                : 28/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Active Directory Plugin for
                                        Jenkins;
                        AppSpider Plugin Plugin for Jenkins;
                        Bitbucket OAuth Plugin for Jenkins;
                        buildgraph-view Plugin for Jenkins;
                        Credentials Binding Plugin for Jenkins;
                        Email Extension Plugin for Jenkins;
                        GitHub Integration Plugin for Jenkins;
                        Job Import Plugin for Jenkins;
                        LDAP Plugin for Jenkins;
                        Multijob Plugin for Jenkins;
                   Pipeline: Groovy Libraries Plugin for Jenkins.

=====================================================================
https://www.jenkins.io/security/advisory/2026-05-27/
_____________________________________________________________________

 Jenkins Security Advisory 2026-05-27

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Active Directory Plugin
    AppSpider Plugin
    Bitbucket OAuth Plugin
    buildgraph-view Plugin
    Credentials Binding Plugin
    Email Extension Plugin
    GitHub Integration Plugin
    Job Import Plugin
    LDAP Plugin
    Multijob Plugin
    Pipeline: Groovy Libraries Plugin


Descriptions

RCE vulnerability from unvalidated LDAP referrals in LDAP Plugin
SECURITY-3654 / CVE-2026-48916 (SSRF), CVE-2026-48917
(deserialization)
Severity (CVSS): Medium
Affected plugin: ldap
Description:

LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals from
the configured LDAP server. These can forward to an RMI URL that
causes Jenkins to deserialize attacker-controlled data, resulting in
Remote Code Execution (RCE) on the Jenkins controller if
deserialization "gadgets" are available on the classpath.

This allows attackers able to control the configured LDAP server, or
able to perform a machine-in-the-middle attack, to execute code on
the Jenkins controller.

LDAP Plugin 807.809.vd3a_4e5e4ec98 no longer follows LDAP referrals.
RCE vulnerability from unvalidated LDAP referrals in Active Directory Plugin
SECURITY-3659 / CVE-2026-48918 (SSRF), CVE-2026-48919 (deserialization)
Severity (CVSS): Medium
Affected plugin: active-directory
Description:

Active Directory Plugin 2.41 and earlier follows LDAP referrals from
the configured Active Directory server by default. These can forward
to an RMI URL that causes Jenkins to deserialize attacker-controlled
data, resulting in Remote Code Execution (RCE) on the Jenkins
controller if deserialization "gadgets" are available on the
classpath.

This allows attackers able to control the configured Active Directory
server, or able to perform a machine-in-the-middle attack, to execute
code on the Jenkins controller.

Active Directory Plugin 2.41.1 no longer follows LDAP referrals by
default.

Administrators unable to update to a fixed version can start Jenkins
with the Java system property
hudson.plugins.active_directory.referral.ignore set to true to
mitigate the vulnerability.

Administrators of Jenkins controllers requiring following LDAP
referrals can set the Java system property
hudson.plugins.active_directory.referral.ignore to false to
restore the previous behavior.


Arbitrary file read vulnerability in Email Extension Plugin
SECURITY-3705 / CVE-2026-48920
Severity (CVSS): High
Affected plugin: email-ext
Description:

Email Extension Plugin 1933.v45cec755423f and earlier includes
a feature that allows inlining images as base64 in email content
by setting the data-inline attribute. No restrictions are placed
on the image URLs that can be inlined.

This allows attackers able to control the email content to
specify file: URLs for images to read arbitrary files from the
Jenkins controller filesystem.

The feature allowing inlining images as base64 in email content
by setting the data-inline attribute is removed from Email
Extension Plugin 1933.1935.v276319e3cc47.
	Users relying on this feature are encouraged to explain
their use case in the issue tracker for a possible return of
this feature, with proper restrictions.

	This vulnerability has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.


Arbitrary file read vulnerability through symbolic links in
Pipeline: Groovy Libraries Plugin
SECURITY-3727 / CVE-2026-48921
Severity (CVSS): High
Affected plugin: pipeline-groovy-lib
Description:

Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and
earlier does not prohibit symbolic links in shared libraries.

This allows attackers able to control the content of a
library used by a Pipeline job to read arbitrary files on
the Jenkins controller filesystem.

Pipeline: Groovy Libraries Plugin 798.v5cc688825312 prohibits
symbolic links in shared libraries.

	This vulnerability has been reported through the
Jenkins Bug Bounty Program sponsored by the European
Commission.


Path traversal vulnerability in Credentials Binding Plugin
SECURITY-3790 / CVE-2026-48922
Severity (CVSS): High
Affected plugin: credentials-binding
Description:

Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does
not properly sanitize file names for file and zip file
credentials.

This allows attackers able to provide credentials to a job to
write files to arbitrary locations on the node filesystem. If
Jenkins is configured to allow a low-privileged user to
configure file or zip file credentials used for a job running
on the built-in node, this can lead to remote code execution.

Credentials Binding Plugin 725.ve52b_2328a_fde improves
sanitization of the file name provided for file and zip file
credentials, preventing path traversal.

	This issue is due to an incomplete fix of
SECURITY-3672.


Missing permission check in AppSpider Plugin allows sending
requests
SECURITY-3671 / CVE-2026-48923
Severity (CVSS): Medium
Affected plugin: jenkinsci-appspider-plugin
Description:

AppSpider Plugin 1.0.17 and earlier does not perform a
permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to
connect to an attacker-specified URL.

AppSpider Plugin 1.0.18 requires Overall/Administer permission
to use the affected method implementing form validation.


Open redirect vulnerability in Bitbucket OAuth Plugin
SECURITY-3761 / CVE-2026-48924
Severity (CVSS): Medium
Affected plugin: bitbucket-oauth
Description:

Bitbucket OAuth Plugin 0.17 and earlier does not restrict the
redirect URL after login.

This allows attackers to perform phishing attacks by having
users go to a Jenkins URL that will forward them to a
different site after successful authentication.

Bitbucket OAuth Plugin 0.18 only redirects to relative
(Jenkins) URLs.


CSRF vulnerability in GitHub Integration Plugin
SECURITY-3776 / CVE-2026-48925
Severity (CVSS): Medium
Affected plugin: github-pullrequest
Description:

GitHub Integration Plugin 0.7.3 and earlier does not require
POST requests for an HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger a build for a
pull request.

GitHub Integration Plugin 0.7.4 requires POST requests for
the affected HTTP endpoint.


CSRF vulnerability in Multijob Plugin allows resuming builds
SECURITY-3781 / CVE-2026-9674
Severity (CVSS): Medium
Affected plugin: jenkins-multijob-plugin
Description:

Multijob Plugin 662.vd2e0001f6b_b_d and earlier does not require
POST requests for an HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to resume failed Multijob
builds.

Multijob Plugin 669.v9d96a_d9c71b_0 requires POST requests
for the affected HTTP endpoint.


Missing permission check in Job Import Plugin allows enumerating
credentials IDs
SECURITY-3783 / CVE-2026-48926
Severity (CVSS): Medium
Affected plugin: job-import-plugin
Description:

Job Import Plugin 143.v044a_2e819b_27 and earlier does not
perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate
credentials IDs of credentials stored in Jenkins. Those can be
used as part of an attack to capture the credentials using
another vulnerability.

An enumeration of credentials IDs in Job Import Plugin
143.145.v48f9a_a_6ff384 requires Job Import/Import Jobs
permission.

	This is due to an incomplete fix of SECURITY-2791.


Stored XSS vulnerability in buildgraph-view Plugin
SECURITY-3486 / CVE-2026-48927
Severity (CVSS): High
Affected plugin: buildgraph-view
Description:

buildgraph-view Plugin 1.8 and earlier does not escape the
build URL.

This results in a stored cross-site scripting (XSS)
vulnerability exploitable by attackers able to configure
jobs or views.

As of publication of this advisory, there is no fix. Learn
why we announce this.

Severity

    SECURITY-3486: High
    SECURITY-3654: Medium
    SECURITY-3659: Medium
    SECURITY-3671: Medium
    SECURITY-3705: High
    SECURITY-3727: High
    SECURITY-3761: Medium
    SECURITY-3776: Medium
    SECURITY-3781: Medium
    SECURITY-3783: Medium
    SECURITY-3790: High

Affected Versions

    Active Directory Plugin up to and including 2.41
    AppSpider Plugin up to and including 1.0.17
    Bitbucket OAuth Plugin up to and including 0.17
    buildgraph-view Plugin up to and including 1.8
    Credentials Binding Plugin up to and including 720.v3f6decef43ea_
    Email Extension Plugin up to and including 1933.v45cec755423f
    GitHub Integration Plugin up to and including 0.7.3
    Job Import Plugin up to and including 143.v044a_2e819b_27
    LDAP Plugin up to and including 807.v7d7de30930cf
    Multijob Plugin up to and including 662.vd2e0001f6b_b_d
    Pipeline: Groovy Libraries Plugin up to and including 797.v90ea_a_9b_e45a_0

Fix

    Active Directory Plugin should be updated to version 2.41.1
    AppSpider Plugin should be updated to version 1.0.18
    Bitbucket OAuth Plugin should be updated to version 0.18
    Credentials Binding Plugin should be updated to version 725.ve52b_2328a_fde
    Email Extension Plugin should be updated to version 1933.1935.v276319e3cc47
    GitHub Integration Plugin should be updated to version 0.7.4
    Job Import Plugin should be updated to version 143.145.v48f9a_a_6ff384
    LDAP Plugin should be updated to version 807.809.vd3a_4e5e4ec98
    Multijob Plugin should be updated to version 669.v9d96a_d9c71b_0
    Pipeline: Groovy Libraries Plugin should be updated to version 798.v5cc688825312

These versions include fixes to the vulnerabilities described
above. All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for
the following plugins:

    buildgraph-view Plugin

Learn why we announce these issues.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Icare (https://x.com/Icare1337) & truff (https://x.com/truffzor);
and, dependently, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
Daniel Lubel, Adiel Sol from DREAM for SECURITY-3654
    Mitchell Benjamin, Revamp Studio, and, independently, Qianheng Wang
for SECURITY-3790
    Olawale Titiloye(https://www.linkedin.com/in/olawale-t-02673a18a/);
and, independently, Samy Medjahed (Ap4sh) & Eliott Laurie (Ethicxz);
and @surrealgrain on GitHub for SECURITY-3727
    Tommaso Gregori (p1s1o) for SECURITY-3671
    Yaroslav Afenkin for SECURITY-3486
    dyingman1 (https://github.com/dyingman1, redpoc Offensive Security
Team) for SECURITY-3761, SECURITY-3776, SECURITY-3781, SECURITY-3783

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================