PT-2026-26073 · Jenkins+1 · Jenkins+1

Elie Metahri

Publicado

2026-03-18

Atualizado

2026-05-24

CVE-2026-33001

CVSS v2.0

9.0

Alta

Vetor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.554 and earlier Jenkins LTS versions 2.541.2 and earlier

Description The software does not safely handle symbolic links when extracting .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, limited by the file system access permissions of the user running Jenkins. An attacker with Item/Configure permission, or control over agent processes, can exploit this to deploy malicious scripts or plugins on the controller.

Recommendations Update Jenkins to a version later than 2.554. Update Jenkins LTS to a version later than 2.541.2.

Correção

RCE

DoS

Link Following

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-61CWE-59

Identificadores relacionados

BDU:2026-04250

BIT-JENKINS-2026-33001

CVE-2026-33001

GHSA-R6QV-FRPC-Q66C

Produtos afetados

Jenkins

Red Os

PT-2026-26073 · Jenkins+1 · Jenkins+1

CVE-2026-33001

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 18