Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN669
_____________________________________________________________________

DATE                : 24/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running plugins for Jenkins.
 
=====================================================================
https://www.jenkins.io/security/advisory/2026-06-24/
_____________________________________________________________________

 Jenkins Security Advisory 2026-06-24

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Active Directory Plugin
    Assembla Plugin
    Bitbucket Push and Pull Request Plugin
    Contrast Continuous Application Security Plugin
    EC2 Fleet Plugin
    External Workspace Manager Plugin
    FitNesse Plugin
    Git client Plugin
    Git Parameter Plugin
    Gitee Plugin
    GitHub Branch Source Plugin
    Job Configuration History Plugin
    MCP Server Plugin
    OWASP ZAP Plugin
    Pipeline: Groovy Plugin
    Priority Sorter Plugin
    Script Security Plugin
    Zowe zDevOps Plugin

Descriptions


Sandbox bypass vulnerability in Script Security Plugin
SECURITY-3792 / CVE-2026-57280
Severity (CVSS): High
Affected plugin: script-security
Description:

Script Security Plugin provides a sandbox feature that allows running
user-provided scripts safely by intercepting and checking potentially
unsafe operations.

Script Security Plugin 1402.v94c9ce464861 and earlier does not
intercept the implicit type cast applied to each element of the
iterated collection in a typed for loop (e.g. for
(Type t in collection)), as this cast is performed during bytecode
generation rather than in the transformed script AST.

This allows attackers able to provide sandboxed scripts to invoke
constructors of arbitrary types without those invocations being
checked by the sandbox, bypassing the sandbox protection. This can be
used to execute arbitrary code on the Jenkins controller.

Script Security Plugin 1402.1405.vc96e74964250 updates the bundled
groovy-sandbox library to a version that intercepts the implicit type
cast applied to typed for loop elements, so those casts are checked
by the sandbox.


Script security bypass vulnerability in Script Security Plugin
SECURITY-3793 / CVE-2026-57281
Severity (CVSS): High
Affected plugin: script-security
Description:

Script Security Plugin 1402.v94c9ce464861 and earlier does not reject
Groovy AST transformation annotations such as @CompileStatic and
@TypeChecked that carry an extensions member, which causes Groovy to
load and execute a script from the classpath at compile time, before
the sandbox is applied.

This may allow attackers able to define and run sandboxed scripts to
execute code outside the sandbox, in the rare case that a suitable
Groovy script is present on the classpath of the component that
evaluates the script.

	The Jenkins security team has been unable to identify any
Groovy source files in Jenkins core or plugins that would allow
attackers to execute dangerous code. While the severity of this
issue is declared as High due to the potential impact, successful
exploitation is considered very unlikely.

Script Security Plugin 1402.1405.vc96e74964250 rejects any
annotation carrying an extensions member during sandbox compilation,
before Groovy can resolve or execute the referenced script.

OS command injection vulnerability on agents in Git client
Plugin
SECURITY-3723 / CVE-2026-57282
Severity (CVSS): Medium
Affected plugin: git-client
Description:

Git client Plugin 6.6.0 and earlier does not correctly escape the
workspace directory name when it is embedded into the SSH wrapper
script generated by the "Manually provided keys" Git Host Key
Verification strategy on Unix agents.

This allows attackers able to control the name of a build’s
working directory (e.g. through a build parameter that determines
the workspace directory) to inject shell command substitution and
execute arbitrary commands on the agent.
	This vulnerability only has an impact when attackers can
control working directories (e.g., the argument to the dir(…)
Pipeline step) while not being able to control the Pipeline itself
or the programs or build scripts it executes.
	This vulnerability has been reported through the Jenkins
Bug Bounty Program sponsored by the European Commission.

Git client Plugin 6.6.1 stores the known_hosts file used by the
"Manually provided keys" Git Host Key Verification strategy in
the system temporary directory, so the workspace directory name
is no longer embedded in the path passed to the generated SSH
wrapper script.


CSRF vulnerability and unrestricted instantiation of types in
Pipeline: Groovy Plugin
SECURITY-3677 / CVE-2026-57283 (CSRF), CVE-2026-57284
(unrestricted instantiation of types)
Severity (CVSS): Medium
Affected plugin: workflow-cps
Description:

Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not
restrict the types that can be instantiated through the Pipeline
Snippet Generator, instantiating any type with a constructor
annotated with @DataBoundConstructor in response to a request.

This allows attackers to have Pipeline: Groovy Plugin instantiate
types related to job or system configuration other than Pipeline
steps.

Additionally, this HTTP endpoint can be accessed using the GET
method and does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability. This allows
attackers to create a script approval request attributed to
another user, impersonating a trusted user when social
engineering an administrator into approving a malicious
script.
	This vulnerability has been reported through the
Jenkins Bug Bounty Program sponsored by the European Commission.

Pipeline: Groovy Plugin 4331.4333.v50a_b_076c5199 only
instantiates Pipeline steps and metastep delegates through
the Snippet Generator, and requires POST requests for the
affected HTTP endpoint.

Missing permission check allows enumerating GitHub Enterprise
server URLs in GitHub Branch Source Plugin
SECURITY-3808 / CVE-2026-57285
Severity (CVSS): Medium
Affected plugin: github-branch-source
Description:

GitHub Branch Source Plugin 1967.1969.v205fd594c821 and
earlier does not perform a permission check in an HTTP
endpoint that lists the GitHub API endpoints configured
in the global plugin configuration.

This allows attackers with Overall/Read permission to
obtain the URLs of GitHub Enterprise servers configured
by administrators.
	This vulnerability has been reported through the
Jenkins Bug Bounty Program sponsored by the European
Commission.

GitHub Branch Source Plugin 1967.1970.vd86979736546
requires Overall/Manage permission or Item/Extended Read
permission on an item to list the configured GitHub API
endpoints.


Missing permission check in Git Parameter Plugin allows
listing SCM branch and tag names
SECURITY-3745 / CVE-2026-57286
Severity (CVSS): Medium
Affected plugin: git-parameter
Description:

Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier does
not perform a permission check in an HTTP endpoint that
populates the list of values for Git parameters by querying
the SCM configured on a job, using the SCM credentials
configured in Jenkins.

This allows attackers with Item/Read permission to obtain
information about the SCM repository used by a job they
would otherwise be unable to access, such as branch names,
tag names, and revision metadata.

Git Parameter Plugin 462.463.v496a_59f698e5 requires
Item/Build permission to populate the list of values for
Git parameters.


Encrypted values of secrets in job and agent configurations
not redacted by Job Configuration History Plugin
SECURITY-3742 / CVE-2026-57287
Severity (CVSS): Medium
Affected plugin: jobConfigHistory
Description:

Job Configuration History Plugin 1356.ve360da_6c523a_ and
earlier does not redact the encrypted values of secrets
when displaying historical job and agent configurations
through its "View as XML" / "(RAW)" feature and its
configuration diff views.

This allows attackers with Item/Extended Read permission
(but not Item/Configure permission) to view the encrypted
values of secrets, such as build trigger tokens, that
Jenkins would otherwise redact from the configuration
shown to them.

Job Configuration History Plugin 1367.vc8fa_b_15101dc redacts
the encrypted values of secrets when displaying historical
job and agent configurations through its
"View as XML" / "(RAW)" feature and its configuration diff
views to users lacking Item/Configure permission.


LDAP injection vulnerability in Active Directory Plugin
SECURITY-3651 / CVE-2026-57288
Severity (CVSS): Low
Affected plugin: active-directory
Description:

In Active Directory Plugin 2.41.1 and earlier, the Windows
native (ADSI) authentication path does not escape the user
name before building the LDAP search filter.

This allows unauthenticated attackers to inject LDAP wildcard
characters into the user name, enabling them to enumerate
directory user and group names, and to authenticate as a
matching user when they know that user’s password but not
their exact user name.

Active Directory Plugin 2.41.2 escapes the user name in the
Windows native (ADSI) authentication path before building the
LDAP search filter.


Missing permission check in MCP Server Plugin allows reading
Pipeline replay scripts
SECURITY-3759 / CVE-2026-57300
Severity (CVSS): Medium
Affected plugin: mcp-server
Description:

MCP Server Plugin 0.177.v629fdb_2557fe and earlier does not
perform a permission check in the getReplayScripts MCP tool
that returns the replay script of a Pipeline build.

This allows attackers with Item/Read permission to obtain
the Pipeline script of jobs.

MCP Server Plugin 0.178.vffe5a_e770f3b_ requires Item/Extended
Read permission to return the replay script of a Pipeline
build through the getReplayScripts MCP tool.


SSL/TLS certificate validation unconditionally disabled by
Bitbucket Push and Pull Request Plugin
SECURITY-3856 / CVE-2026-57289
Severity (CVSS): Medium
Affected plugin: bitbucket-push-and-pull-request
Description:

Bitbucket Push and Pull Request Plugin 3.3.8 and earlier
unconditionally disables SSL/TLS certificate and hostname
validation for the connections it makes to Bitbucket
Server using Bearer token authentication.

Because the Bearer token is transmitted in these requests,
this allows attackers able to intercept network traffic to
capture the token and impersonate the Jenkins controller
to Bitbucket Server.

Bitbucket Push and Pull Request Plugin 3.3.9 validates
SSL/TLS certificates and hostnames for the connections it
makes to Bitbucket Server using Bearer token authentication,
using the trust store configured for the Jenkins controller
JVM.


CSRF vulnerability in Priority Sorter Plugin
SECURITY-3769 / CVE-2026-57290
Severity (CVSS): Medium
Affected plugin: PrioritySorter
Description:

Priority Sorter Plugin 936.v2c01c6b_84449 and earlier does
not require POST requests in an HTTP endpoint that saves
the global job priority configuration.

This allows attackers to overwrite the global job priority
configuration.

Priority Sorter Plugin 936.937.v5581d0b_2ccb_a_ requires POST
requests for the affected HTTP endpoint.


Missing permission checks and CSRF vulnerability in Gitee
Plugin
SECURITY-3762 (1) / CVE-2026-57291 (missing permission
check), CVE-2026-57292 (CSRF)
Severity (CVSS): Medium
Affected plugin: gitee
Description:

Gitee Plugin 1288.v18b_deb_c9069b_ and earlier does not perform
permission checks in several HTTP endpoints implementing
form validation for its global configuration.

This allows attackers with Overall/Read permission to connect
to an attacker-specified URL using attacker-specified
credentials IDs obtained through another method, capturing
credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

Gitee Plugin 1292.v2559f2f3f2c0 requires the appropriate
permissions in the affected HTTP endpoints, and requires
POST requests.


Incorrect permission check in Gitee Plugin allows enumerating
credentials IDs
SECURITY-3762 (2) / CVE-2026-57293
Severity (CVSS): Medium
Affected plugin: gitee
Description:

Gitee Plugin 1288.v18b_deb_c9069b_ and earlier does not
correctly perform a permission check in an HTTP endpoint.

This allows attackers with global Item/Configure permission
(while lacking Item/Configure permission on any particular
job) to enumerate credentials IDs of credentials stored in
Jenkins. Those can be used as part of an attack to capture
the credentials using another vulnerability.

An enumeration of credentials IDs in Gitee Plugin
1292.v2559f2f3f2c0 requires Overall/Administer permission.


CSRF vulnerability and missing permission checks in EC2 Fleet
Plugin
SECURITY-3774 / CVE-2026-57294 (missing permission check),
CVE-2026-57295 (CSRF)
Severity (CVSS): Medium
Affected plugin: ec2-fleet
Description:

EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier does not
perform permission checks in several HTTP endpoints used to
validate cloud configurations.

This allows attackers with Overall/Read permission to connect
to an attacker-specified URL using attacker-specified credentials
IDs obtained through another method, capturing AWS credentials
stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

EC2 Fleet Plugin 4.2.3.540.va_6eedb_7b_c112 requires
Overall/Administer permission and POST requests to perform
these form validation actions.


Path traversal vulnerability in External Workspace Manager
Plugin
SECURITY-3777 / CVE-2026-57296
Severity (CVSS): High
Affected plugin: external-workspace-manager
Description:

External Workspace Manager Plugin 1.3.2 and earlier does not
reject .. path segments when validating the custom workspace
path provided to the exwsAllocate Pipeline step, allowing the
resulting workspace path to escape the configured disk mount
point.

This allows attackers with Item/Configure permission to read
arbitrary files on the Jenkins controller file system, which
can lead to remote code execution (see Reading Files).

External Workspace Manager Plugin 1.4.0 rejects .. path segments
when validating the custom workspace path, and additionally
verifies that the requested path is contained within the
configured disk mount point before serving it through the
external workspace browse functionality.


CSRF vulnerability and missing permission check in Contrast
Continuous Application Security Plugin
SECURITY-3697 (1) / CVE-2026-57297 (missing permission check),
CVE-2026-57298 (CSRF)
Severity (CVSS): Medium
Affected plugin: contrast-continuous-application-security
Description:

Contrast Continuous Application Security Plugin 3.11 and
earlier does not perform a permission check in an HTTP
endpoint that tests the connection to a Contrast
TeamServer.

This allows attackers with Overall/Read permission to
connect to an attacker-specified URL using an
attacker-specified username, API key, and service key.

Additionally, this HTTP endpoint does not require POST
requests, resulting in a cross-site request forgery
(CSRF) vulnerability.

Contrast Continuous Application Security Plugin 3.12
requires Overall/Administer permission and POST requests
to test the connection to a Contrast TeamServer.


Missing permission checks in Contrast Continuous Application
Security Plugin allow enumerating Contrast metadata
SECURITY-3697 (2) / CVE-2026-57299
Severity (CVSS): Medium
Affected plugin: contrast-continuous-application-security
Description:

Contrast Continuous Application Security Plugin 3.11 and
earlier does not perform permission checks in several HTTP
endpoints that fill list box options with the names of the
configured Contrast metadata.

This allows attackers with Overall/Read permission to
enumerate the names of configured Contrast metadata.

Contrast Continuous Application Security Plugin 3.12
requires the appropriate permission to enumerate the
configured Contrast metadata.


Builds executed on the Jenkins controller by OWASP ZAP
Plugin can lead to RCE
SECURITY-3649 / CVE-2026-57301
Severity (CVSS): High
Affected plugin: zapper
Description:

OWASP ZAP Plugin 1.0.7 and earlier does not support
distributed builds, causing the file operations and build
process of its "Automatically build ZAP" feature to be
performed on the Jenkins controller rather than on the
agent the build is assigned to.

This allows attackers with Item/Configure permission to
configure the feature to build an attacker-controlled
project, executing arbitrary code on the Jenkins controller
and bypassing any restriction confining the build to a
specific agent.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Passwords stored in plain text by FitNesse Plugin
SECURITY-3555 / CVE-2026-57302
Severity (CVSS): Medium
Affected plugin: fitnesse
Description:

FitNesse Plugin 1.36 and earlier stores passwords
unencrypted in job config.xml files on the Jenkins
controller as part of its configuration.

These passwords can be viewed by users with Item/Extended
Read permission or access to the Jenkins controller file
system.

As of publication of this advisory, there is no fix.
Learn why we announce this.


XXE vulnerability in Assembla Plugin
SECURITY-3692 (1) / CVE-2026-57303
Severity (CVSS): High
Affected plugin: assembla
Description:

Assembla Plugin 1.4 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks
when parsing responses from the configured Assembla server.

This allows attackers able to control the responses of
the configured Assembla server to extract secrets from
the Jenkins controller or perform server-side request
forgery.

As of publication of this advisory, there is no fix. Learn
why we announce this.


CSRF vulnerability and missing permission check in
Assembla Plugin
SECURITY-3692 (2) / CVE-2026-57304 (missing permission
check), CVE-2026-57305 (CSRF)
Severity (CVSS): Medium
Affected plugin: assembla
Description:

Assembla Plugin 1.4 and earlier does not perform a permission
check in an HTTP endpoint that tests the connection to an
Assembla server.

This allows attackers with Overall/Read permission to
connect to an attacker-specified URL using an
attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST
requests, resulting in a cross-site request forgery (CSRF)
vulnerability.
	This does not allow exploiting the XML external
entity (XXE) vulnerability described in the previous
advisory entry.

As of publication of this advisory, there is no fix. Learn
why we announce this.


CSRF vulnerability and missing permission check in Zowe
zDevOps Plugin
SECURITY-3747 / CVE-2026-57306 (CSRF), CVE-2026-57307
(missing permission check)
Severity (CVSS): Medium
Affected plugin: zdevops
Description:

Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier
does not perform a permission check in an HTTP endpoint
implementing a connection test.

This allows attackers with Overall/Read permission to
connect to an attacker-specified URL using attacker-specified
credentials IDs obtained through another method, capturing
credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Severity

    SECURITY-3555: Medium
    SECURITY-3649: High
    SECURITY-3651: Low
    SECURITY-3677: Medium
    SECURITY-3692 (1): High
    SECURITY-3692 (2): Medium
    SECURITY-3697 (1): Medium
    SECURITY-3697 (2): Medium
    SECURITY-3723: Medium
    SECURITY-3742: Medium
    SECURITY-3745: Medium
    SECURITY-3747: Medium
    SECURITY-3759: Medium
    SECURITY-3762 (1): Medium
    SECURITY-3762 (2): Medium
    SECURITY-3769: Medium
    SECURITY-3774: Medium
    SECURITY-3777: High
    SECURITY-3792: High
    SECURITY-3793: High
    SECURITY-3808: Medium
    SECURITY-3856: Medium

Affected Versions

    Active Directory Plugin up to and including 2.41.1
    Assembla Plugin up to and including 1.4
    Bitbucket Push and Pull Request Plugin up to and including 3.3.8
    Contrast Continuous Application Security Plugin up to and including 3.11
    EC2 Fleet Plugin up to and including 4.2.3.539.v8fedff2a_81c3
    External Workspace Manager Plugin up to and including 1.3.2
    FitNesse Plugin up to and including 1.36
    Git client Plugin up to and including 6.6.0
    Git Parameter Plugin up to and including 462.vdcf3df2ed2ca_
    Gitee Plugin up to and including 1288.v18b_deb_c9069b_
    GitHub Branch Source Plugin up to and including 1967.1969.v205fd594c821
    Job Configuration History Plugin up to and including 1356.ve360da_6c523a_
    MCP Server Plugin up to and including 0.177.v629fdb_2557fe
    OWASP ZAP Plugin up to and including 1.0.7
    Pipeline: Groovy Plugin up to and including 4331.v9d06ed4658ff
    Priority Sorter Plugin up to and including 936.v2c01c6b_84449
    Script Security Plugin up to and including 1402.v94c9ce464861
    Zowe zDevOps Plugin up to and including 1.1.3.50.ve350c9b_450b_1

Fix

    Active Directory Plugin should be updated to version 2.41.2
    Bitbucket Push and Pull Request Plugin should be updated to version 3.3.9
    Contrast Continuous Application Security Plugin should be updated to version 3.12
    EC2 Fleet Plugin should be updated to version 4.2.3.540.va_6eedb_7b_c112
    External Workspace Manager Plugin should be updated to version 1.4.0
    Git client Plugin should be updated to version 6.6.1
    Git Parameter Plugin should be updated to version 462.463.v496a_59f698e5
    Gitee Plugin should be updated to version 1292.v2559f2f3f2c0
    GitHub Branch Source Plugin should be updated to version 1967.1970.vd86979736546
    Job Configuration History Plugin should be updated to version 1367.vc8fa_b_15101dc
    MCP Server Plugin should be updated to version 0.178.vffe5a_e770f3b_
    Pipeline: Groovy Plugin should be updated to version 4331.4333.v50a_b_076c5199
    Priority Sorter Plugin should be updated to version 936.937.v5581d0b_2ccb_a_
    Script Security Plugin should be updated to version 1402.1405.vc96e74964250

These versions include fixes to the vulnerabilities described
above. All prior versions are considered to be affected by
these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available
for the following plugins:

    Assembla Plugin
    FitNesse Plugin
    OWASP ZAP Plugin
    Zowe zDevOps Plugin

Learn why we announce these issues.


Credit

The Jenkins project would like to thank the reporters for
discovering and reporting these vulnerabilities:

    Arad Inbar, Ben Grinberg, Nir Somech from DREAM, and, independently, Nahit Sogutlu (http://github.com/Dogru-Isim) for SECURITY-3651
    Heechan, and, independently, YeJun Won for SECURITY-3759
    Kai Aizen (SnailSploit) for SECURITY-3692 (1), SECURITY-3692 (2), SECURITY-3697 (1), SECURITY-3697 (2)
    Ophion Security in collaboration with Claude and Anthropic Research for SECURITY-3742
    Pablo Picurelli Ortiz (superpegaso2703) of Universidad Rey Juan Carlos for SECURITY-3649
    Ravindu Wickramasinghe for SECURITY-3723
    Romuald Moisan, Aix Marseille University for SECURITY-3555
    Suman Roy (https://linkedin.com/in/sumanrox) for SECURITY-3808
    SungpilHan (@EQSTLab) for SECURITY-3745
    dyingman1 (https://github.com/dyingman1, redpoc Offensive Security Team) for SECURITY-3747, SECURITY-3762 (1), SECURITY-3762 (2), SECURITY-3769, SECURITY-3774, SECURITY-3777, SECURITY-3856

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================