Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN615
_____________________________________________________________________

DATE                : 11/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins (core) versions prior
                          to weekly 2.568, LTS 2.555.3.

=====================================================================
https://www.jenkins.io/security/advisory/2026-06-10/
_____________________________________________________________________

 Jenkins Security Advisory 2026-06-10

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Jenkins (core)

Descriptions
Deserialization vulnerability
SECURITY-3707 / CVE-2026-53435
Severity (CVSS): High


Description:

Jenkins uses serialization and deserialization in multiple places,
like agent/controller communication (the Remoting library) and to
load and save configuration and build data (using XStream). To
protect from common deserialization vulnerabilities, Jenkins uses
a custom deserialization filter that only allows deserialization
of types defined in Jenkins core or plugins, or explicitly allowed
types (JEP-200). These vulnerabilities generally rely on behavior
defined in #readResolve methods that are executed during
deserialization.

Jenkins uses the Stapler web framework for HTTP request handling.
Stapler’s basic premise is that it uses reflective access to code
elements matching its naming conventions. Since 2018, Jenkins
limits request routing to only types defined in Jenkins core or
plugins, and can only access fields and methods that have (return)
types, parameters, or annotations related to HTTP request handling.

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible
for attackers to have Jenkins deserialize arbitrary types defined in
Jenkins core or plugins from an attacker-controlled config.xml
submission in a way that allows them to handle HTTP requests
afterwards. To do this, attackers need to have Overall/Read
permission, and at least one of the following:

    a user account (i.e., cannot be anonymous)

    any set of permissions allowing them to POST config.xml (e.g.,
Item/Configure, View/Configure, Agent/Configure).

This vulnerability can be exploited in multiple ways:

    Attackers can impersonate any user and send HTTP requests on
their behalf, up to and including use of the Script Console to
run arbitrary code.

    Attackers can read arbitrary files from the Jenkins controller
(see Reading Files).

There are likely other ways to exploit this vulnerability, and the
above list is not exhaustive.

Jenkins 2.568, LTS 2.555.3 restricts the types allowed in the
affected deserialization to expected types.

	This vulnerability has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.


Open redirect vulnerability
SECURITY-3711+3755 / CVE-2026-53436 (leading period), CVE-2026-53437
(tab or newline characters)
Severity (CVSS): Medium

Description:

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly
determines whether a URL is safe to redirect to in the default
login flow:

    A URL containing relative path segments (./ or ../) is
validated before the servlet container collapses those segments
into a protocol-relative URL starting with //, which browsers
interpret as a scheme-relative URL, allowing redirection to an
attacker-controlled domain (SECURITY-3711 / CVE-2026-53436).

    Tab or newline characters are not ignored when checking for
the presence of // at the start of the URL, allowing redirection
to an attacker-controlled domain by including a tab or newline
between // (SECURITY-3755 / CVE-2026-53437).

Jenkins 2.568, LTS 2.555.3 strips tab and newline characters
before validation and rejects URLs containing // anywhere.
	SECURITY-3711 has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.


Missing permission check allows canceling queue items
SECURITY-3712 / CVE-2026-53438
Severity (CVSS): Medium

Description:

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not
perform an Item/Read permission check in an HTTP endpoint.

This allows attackers with Item/Cancel permission, but lacking
Item/Read permission, to cancel queue items they do not have
permission to view.

	This is due to an incomplete fix of SECURITY-2278 in
the 2021-06-30 security advisory.

Jenkins 2.568, LTS 2.555.3 performs an Item/Read permission
check in the affected endpoint.

	This vulnerability has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.

Missing permission checks allow obtaining limited user profile
information

SECURITY-3713 / CVE-2026-53439
Severity (CVSS): Medium

Description:

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not
perform permission checks in HTTP endpoints.

This allows attackers with Overall/Read permission to determine
other users' configured timezone and to enumerate view names
of other users' "My Views".

Jenkins 2.568, LTS 2.555.3 performs permission checks in the
affected endpoints.

	This vulnerability has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.


Open redirect vulnerability in "Delegate to servlet container"
security realm
SECURITY-3721 / CVE-2026-53440
Severity (CVSS): Medium

Description:

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not
ensure that the "from" parameter in the "Delegate to servlet
container" security realm is safe to redirect to after login.

This allows attackers to perform phishing attacks by redirecting
users to an attacker-controlled domain.

Jenkins 2.568, LTS 2.555.3 ensures that the "from" parameter
in the "Delegate to servlet container" security realm is safe
to redirect to after login.


Stored XSS vulnerability in node offline cause description
SECURITY-3731 / CVE-2026-53441
Severity (CVSS): High

Description:

Since Jenkins 2.483, the description of the reason why a node
is offline (the "offline cause") is defined as containing HTML
and rendered as such.

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not
escape the user-provided description of a generic offline cause
that could be set through the POST config.xml API.

This results in a stored cross-site scripting (XSS)
vulnerability exploitable by attackers with Agent/Configure
permission.

Jenkins 2.568, LTS 2.555.3 redefines all offline cause
descriptions rendered through the default UI as plain text.

	On Jenkins 2.539 and newer, LTS 2.541.1 and newer,
enforcing Content Security Policy protection mitigates this
vulnerability.

	This vulnerability is due to an incomplete fix of
SECURITY-3669 in the 2026-02-18 security advisory.

Plaintext secrets persisted and served by config.xml endpoints
SECURITY-3744 / CVE-2026-53442
Severity (CVSS): Medium
Description:

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, POST
config.xml submissions are written to disk as-is once their
content can be successfully deserialized, while GET config.xml
responses are served directly from those files. As a result,
plaintext secrets in a POST config.xml submission persist on
disk and reappear in subsequent GET config.xml responses,
exposing them to users with Item/Extended Read permission.

Jenkins 2.568, LTS 2.555.3 first confirms that the POST config.xml
submission can be loaded successfully, then serializes the item
to disk, so that secrets are encrypted.


Severity

    SECURITY-3707: High
    SECURITY-3711+3755: Medium
    SECURITY-3712: Medium
    SECURITY-3713: Medium
    SECURITY-3721: Medium
    SECURITY-3731: High
    SECURITY-3744: Medium

Affected Versions

    Jenkins weekly up to and including 2.567
    Jenkins LTS up to and including 2.555.2

Fix

    Jenkins weekly should be updated to version 2.568
    Jenkins LTS should be updated to version 2.555.3

These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    An anonymous reporter (SECURITY-3711); Fushuling@secsys from
Fudan University and RacerZ@secsys from Fudan University; and,
independently, Michael Blunt (SECURITY-3755) for SECURITY-3711+3755
    Kartik T Nair (@k0w4lzk1) from Team bi0s for SECURITY-3721
    dqh1 for SECURITY-3707
    quannn and vstxckr for SECURITY-3744
    sam91281 for SECURITY-3713
    sam91281; and, independently, Aries441 for SECURITY-3712
    wooseokdotkim for SECURITY-3731


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================