Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-29371 (GCVE-0-2024-29371)
Vulnerability from cvelistv5 – Published: 2025-12-17 00:00 – Updated: 2026-01-23 19:28- n/a
- CWE-1259 - Improper Restriction of Security Token Assignment
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29371",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T18:38:20.096134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1259",
"description": "CWE-1259 Improper Restriction of Security Token Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T18:48:36.126Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T19:28:10.386Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29371",
"datePublished": "2025-12-17T00:00:00.000Z",
"dateReserved": "2024-03-19T00:00:00.000Z",
"dateUpdated": "2026-01-23T19:28:10.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-29371",
"date": "2026-07-11",
"epss": "0.00244",
"percentile": "0.15495"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-29371\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-12-17T16:16:04.567\",\"lastModified\":\"2026-06-17T07:22:45.723\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.\"}],\"affected\":[{\"source\":\"cve@mitre.org\",\"affectedData\":[{\"vendor\":\"n/a\",\"product\":\"n/a\",\"versions\":[{\"version\":\"n/a\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-12-17T18:38:20.096134Z\",\"id\":\"CVE-2024-29371\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1259\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jose4j_project:jose4j:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.9.5\",\"matchCriteriaId\":\"DE62FF6D-FC62-42B0-9ED4-76A0C4419975\"}]}]}],\"references\":[{\"url\":\"https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Mitigation\"]},{\"url\":\"https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Mitigation\"]}]}}",
"redhat_vex": {
"aggregate_severity": "Important",
"current_release_date": "2026-07-03T11:44:09+00:00",
"cve": "CVE-2024-29371",
"id": "CVE-2024-29371",
"initial_release_date": "2024-01-01T00:00:00+00:00",
"product_status:fixed": "44",
"product_status:known_affected": "13",
"product_status:known_not_affected": "79",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-29371.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-29371\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-17T18:38:20.096134Z\"}}}], \"references\": [{\"url\": \"https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack\", \"tags\": [\"exploit\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1259\", \"description\": \"CWE-1259 Improper Restriction of Security Token Assignment\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-17T18:15:31.759Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2026-01-23T19:28:10.386Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-29371\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-23T19:28:10.386Z\", \"dateReserved\": \"2024-03-19T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-12-17T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2025:17299
Vulnerability from csaf_redhat - Published: 2025-10-02 14:54 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 8.1.0
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9
|
— |
Vendor Fix
fix
|
A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 8.1.0
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9
|
— |
Vendor Fix
fix
Workaround
|
A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 8.1.0
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9
|
— |
Vendor Fix
fix
Workaround
|
A flaw in Netty’s HTTP/1.1 chunked encoding parser allows newline (LF) characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same input differently, potentially enabling HTTP request smuggling attacks such as bypassing access controls or corrupting responses.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 8.1.0
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9
|
— |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 8.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is an update for Red Hat JBoss Enterprise Application Platform 8.1. See Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions [eap-8.1.z] (CVE-2025-58056)\n\n* netty-codec-http2: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions [eap-8.1.z] (CVE-2025-58056)\n\n* cxf: CXF JMS Code Execution Vulnerability [eap-8.1.z] (CVE-2025-48913)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:17299",
"url": "https://access.redhat.com/errata/RHSA-2025:17299"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/7129481",
"url": "https://access.redhat.com/articles/7129481"
},
{
"category": "external",
"summary": "2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "2392996",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392996"
},
{
"category": "external",
"summary": "JBEAP-30701",
"url": "https://issues.redhat.com/browse/JBEAP-30701"
},
{
"category": "external",
"summary": "JBEAP-30732",
"url": "https://issues.redhat.com/browse/JBEAP-30732"
},
{
"category": "external",
"summary": "JBEAP-30759",
"url": "https://issues.redhat.com/browse/JBEAP-30759"
},
{
"category": "external",
"summary": "JBEAP-30761",
"url": "https://issues.redhat.com/browse/JBEAP-30761"
},
{
"category": "external",
"summary": "JBEAP-30763",
"url": "https://issues.redhat.com/browse/JBEAP-30763"
},
{
"category": "external",
"summary": "JBEAP-30887",
"url": "https://issues.redhat.com/browse/JBEAP-30887"
},
{
"category": "external",
"summary": "JBEAP-30889",
"url": "https://issues.redhat.com/browse/JBEAP-30889"
},
{
"category": "external",
"summary": "JBEAP-30891",
"url": "https://issues.redhat.com/browse/JBEAP-30891"
},
{
"category": "external",
"summary": "JBEAP-30916",
"url": "https://issues.redhat.com/browse/JBEAP-30916"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_17299.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.1.0 security update",
"tracking": {
"current_release_date": "2026-07-03T12:02:20+00:00",
"generator": {
"date": "2026-07-03T12:02:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2025:17299",
"initial_release_date": "2025-10-02T14:54:02+00:00",
"revision_history": [
{
"date": "2025-10-02T14:54:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-10-02T14:54:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 8.1.0",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 8.1.0",
"product_id": "Red Hat JBoss Enterprise Application Platform 8.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-02T14:54:02+00:00",
"details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:17299"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2025-48913",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2025-08-08T10:00:54.007824+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2387221"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw should be considered Important because the impact goes beyond a simple denial of service or configuration misuse. By allowing untrusted users to configure JMS with RMI or LDAP URLs, attackers could achieve remote code execution by loading attacker-controlled classes or objects. Although this requires the precondition that the attacker has access to JMS configuration, in many enterprise deployments this may be exposed through integration layers or misconfigured permissions, making the attack surface broader than a purely local or limited-scope scenario.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48913"
},
{
"category": "external",
"summary": "RHBZ#2387221",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387221"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48913"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48913",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48913"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83",
"url": "https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83"
}
],
"release_date": "2025-08-08T09:21:22.208000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-02T14:54:02+00:00",
"details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:17299"
},
{
"category": "workaround",
"details": "To reduce risk, deployments should restrict the allowed protocols in JMS configuration to trusted and expected values only. In particular, disallow the use of rmi:// and ldap:// URLs, which could be abused for remote class loading and code execution.",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-02T14:54:02+00:00",
"details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:17299"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
},
{
"cve": "CVE-2025-58056",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-09-03T21:01:22.935850+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2392996"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Netty\u2019s HTTP/1.1 chunked encoding parser allows newline (LF) characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same input differently, potentially enabling HTTP request smuggling attacks such as bypassing access controls or corrupting responses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is considered Moderate rather than Important because successful exploitation depends on a very specific deployment condition: the presence of an intermediary reverse proxy that both mishandles lone LF characters in chunk extensions and forwards them unmodified to Netty. By itself, Netty\u2019s parsing quirk does not introduce risk, and in most real-world environments, reverse proxies normalize or reject malformed chunked requests, preventing smuggling. As a result, the vulnerability has limited reach, requires a niche configuration to be exploitable, and does not universally expose Netty-based servers to request smuggling\u2014hence it is rated moderate in severity rather than important or critical.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58056"
},
{
"category": "external",
"summary": "RHBZ#2392996",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392996"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding",
"url": "https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding"
},
{
"category": "external",
"summary": "https://github.com/JLLeitschuh/unCVEed/issues/1",
"url": "https://github.com/JLLeitschuh/unCVEed/issues/1"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284",
"url": "https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/issues/15522",
"url": "https://github.com/netty/netty/issues/15522"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/pull/15611",
"url": "https://github.com/netty/netty/pull/15611"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49",
"url": "https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49"
},
{
"category": "external",
"summary": "https://w4ke.info/2025/06/18/funky-chunks.html",
"url": "https://w4ke.info/2025/06/18/funky-chunks.html"
}
],
"release_date": "2025-09-03T20:56:50.732000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-02T14:54:02+00:00",
"details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:17299"
},
{
"category": "workaround",
"details": "To mitigate this issue, enforce strict RFC compliance on all front-end proxies and load balancers so that lone LF characters in chunk extensions are rejected or normalized before being forwarded. Additionally, configure input validation at the application or proxy layer to block malformed chunked requests, ensuring consistent parsing across all components in the request path.",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 8.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions"
}
]
}
RHSA-2026:10199
Vulnerability from csaf_redhat - Published: 2026-04-23 16:00 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.21 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10199",
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10199.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.21 security update.",
"tracking": {
"current_release_date": "2026-07-03T12:02:24+00:00",
"generator": {
"date": "2026-07-03T12:02:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:10199",
"initial_release_date": "2026-04-23T16:00:39+00:00",
"revision_history": [
{
"date": "2026-04-23T16:00:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T16:00:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.21",
"product": {
"name": "OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.21::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.21",
"product_id": "OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.21"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:00:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:00:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:00:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:00:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.21 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10199"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.21:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10201
Vulnerability from csaf_redhat - Published: 2026-04-23 16:39 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10201",
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10201.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.13 security update.",
"tracking": {
"current_release_date": "2026-07-03T12:02:29+00:00",
"generator": {
"date": "2026-07-03T12:02:29+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:10201",
"initial_release_date": "2026-04-23T16:39:39+00:00",
"revision_history": [
{
"date": "2026-04-23T16:39:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T16:39:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:29+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.13",
"product": {
"name": "OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.13::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776764096"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 as a component of OpenShift Developer Tools and Services 4.13",
"product_id": "OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.13"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:39:39+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.13 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10201"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.13:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10204
Vulnerability from csaf_redhat - Published: 2026-04-23 16:56 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10204",
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.15/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10204.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.15 security update.",
"tracking": {
"current_release_date": "2026-07-03T12:02:25+00:00",
"generator": {
"date": "2026-07-03T12:02:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:10204",
"initial_release_date": "2026-04-23T16:56:17+00:00",
"revision_history": [
{
"date": "2026-04-23T16:56:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T16:56:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.15",
"product": {
"name": "OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.15::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Aec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Afa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x as a component of OpenShift Developer Tools and Services 4.15",
"product_id": "OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T16:56:17+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.15 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10204"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.15:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10205
Vulnerability from csaf_redhat - Published: 2026-04-23 17:06 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10205",
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10205.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 security update.",
"tracking": {
"current_release_date": "2026-07-03T12:02:26+00:00",
"generator": {
"date": "2026-07-03T12:02:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:10205",
"initial_release_date": "2026-04-23T17:06:07+00:00",
"revision_history": [
{
"date": "2026-04-23T17:06:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:06:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.2",
"product": {
"name": "OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.20::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.2",
"product_id": "OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:06:07+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.20 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10205"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.2:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10206
Vulnerability from csaf_redhat - Published: 2026-04-23 17:15 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10206",
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10206.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.19 security update.",
"tracking": {
"current_release_date": "2026-07-03T12:02:26+00:00",
"generator": {
"date": "2026-07-03T12:02:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:10206",
"initial_release_date": "2026-04-23T17:15:37+00:00",
"revision_history": [
{
"date": "2026-04-23T17:15:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:15:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.19",
"product": {
"name": "OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.19::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.19",
"product_id": "OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.19"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:15:37+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.19 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.19:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10209
Vulnerability from csaf_redhat - Published: 2026-04-23 17:20 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10209",
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10209.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 security update.",
"tracking": {
"current_release_date": "2026-07-03T12:02:27+00:00",
"generator": {
"date": "2026-07-03T12:02:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:10209",
"initial_release_date": "2026-04-23T17:20:35+00:00",
"revision_history": [
{
"date": "2026-04-23T17:20:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:20:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.12",
"product": {
"name": "OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.12::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776764096"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64 as a component of OpenShift Developer Tools and Services 4.12",
"product_id": "OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:20:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.12 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10209"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.12:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:8b5e1f1b924de7b31a2856c84548a1369b433170205175ce65faa0d61aaae0a7_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10211
Vulnerability from csaf_redhat - Published: 2026-04-23 17:21 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10211",
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10211.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.14 security update.",
"tracking": {
"current_release_date": "2026-07-03T12:02:27+00:00",
"generator": {
"date": "2026-07-03T12:02:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:10211",
"initial_release_date": "2026-04-23T17:21:09+00:00",
"revision_history": [
{
"date": "2026-04-23T17:21:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:21:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.14",
"product": {
"name": "OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.14::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3Aad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Aec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3A02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel8@sha256%3A3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776760341"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel8@sha256%3Afa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776762347"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64 as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x as a component of OpenShift Developer Tools and Services 4.14",
"product_id": "OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.14"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:21:09+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.14 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10211"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3959cf6c1b1b5e7b2c33ef49ebe1e99dfce7e10ad14ea0c948c3365249f85230_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:3c83e451aa4a676671e22a6c91539311d04677601978d35032bce45e10c63a39_s390x",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:7bff04aabb5d39075f92b8e65d2cfebc02cfd80488037685654a1e1cbf0b2056_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8@sha256:ad63a7e895c432b05a4fab3357cf1a8ab8c99a1f6bc1e86abd2c67f4f1e9a872_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:02c954e1692ff2ce7c85c1505fe48e65b2b21b2f368d514fca86343f4f96cd7c_ppc64le",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:5957dae25e049ae63fd5112da7436c9c1b0a6deefe5ebc6ae11b4e78c75cfe3d_amd64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:ec218eaf3b8668c6473232a695ce742b8b8dc57274ec5fc727c996df812d5aae_arm64",
"OpenShift Developer Tools and Services 4.14:registry.redhat.io/ocp-tools-4/jenkins-rhel8@sha256:fa8f511929707eed40f5d9baf9ca89dfb8d46913746f2c0e4bd97d0b02d5d2b8_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10213
Vulnerability from csaf_redhat - Published: 2026-04-23 17:30 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.17 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10213",
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10213.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.17 security update.",
"tracking": {
"current_release_date": "2026-07-03T12:02:28+00:00",
"generator": {
"date": "2026-07-03T12:02:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:10213",
"initial_release_date": "2026-04-23T17:30:00+00:00",
"revision_history": [
{
"date": "2026-04-23T17:30:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:30:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.17",
"product": {
"name": "OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.17::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.17",
"product_id": "OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.17"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:00+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:00+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:00+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:00+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.17 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10213"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.17:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
RHSA-2026:10214
Vulnerability from csaf_redhat - Published: 2026-04-23 17:30 - Updated: 2026-07-03 12:02A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the "Mark temporarily offline" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user's browser.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x | — |
Vendor Fix
fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le | — | ||
| Unresolved product id: OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x | — |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Openshift Jenkins is now available for Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16.",
"title": "Topic"
},
{
"category": "general",
"text": "Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:10214",
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-29371",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27099",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-27100",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33001",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/jenkins",
"url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/jenkins"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_10214.json"
}
],
"title": "Red Hat Security Advisory: Release of Red Hat OpenShift Developer Tools - Openshift Jenkins 4.16 security update.",
"tracking": {
"current_release_date": "2026-07-03T12:02:28+00:00",
"generator": {
"date": "2026-07-03T12:02:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.1"
}
},
"id": "RHSA-2026:10214",
"initial_release_date": "2026-04-23T17:30:02+00:00",
"revision_history": [
{
"date": "2026-04-23T17:30:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-23T17:30:12+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-03T12:02:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services 4.16",
"product": {
"name": "OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.16::el9"
}
}
}
],
"category": "product_family",
"name": "OpenShift Developer Tools and Services"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630?arch=amd64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3A486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3A1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4?arch=arm64\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Aa41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Aab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454?arch=ppc64le\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-agent-base-rhel9@sha256%3Acef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944183"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_id": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/jenkins-rhel9@sha256%3Ab453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7?arch=s390x\u0026repository_url=registry.redhat.io/ocp-tools-4\u0026tag=1776944215"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64 as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64 as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64 as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64 as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x as a component of OpenShift Developer Tools and Services 4.16",
"product_id": "OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
},
"product_reference": "registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x",
"relates_to_product_reference": "OpenShift Developer Tools and Services 4.16"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-29371",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-12-17T16:01:18.173727+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2423194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools \u0026 Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29371"
},
{
"category": "external",
"summary": "RHBZ#2423194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
},
{
"category": "external",
"summary": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack",
"url": "https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack"
}
],
"release_date": "2025-12-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:02+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression"
},
{
"cve": "CVE-2026-27099",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-02-18T15:02:52.012661+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440638"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability, identified as a stored cross-site scripting (XSS) issue, occurs because Jenkins does not properly escape the user-provided description for the \"Mark temporarily offline\" cause. An attacker with Agent/Configure or Agent/Disconnect permissions can exploit this to inject malicious scripts, leading to potential information disclosure or unauthorized actions within the user\u0027s browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Jenkins allows authenticated attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the \"Mark temporarily offline\" cause description. This stored cross-site scripting (XSS) flaw can lead to information disclosure or unauthorized actions within a user\u0027s browser when viewing the affected description. Red Hat OpenShift Developer Tools \u0026 Services are affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27099"
},
{
"category": "external",
"summary": "RHBZ#2440638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440638"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27099"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669"
}
],
"release_date": "2026-02-18T14:17:43.911000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:02+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Stored Cross-site Scripting (XSS) via unescaped user-provided offline cause description"
},
{
"cve": "CVE-2026-27100",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2026-02-18T15:02:47.032150+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2440637"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools \u0026 Services.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-27100"
},
{
"category": "external",
"summary": "RHBZ#2440637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-27100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27100"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27100"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658",
"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"
}
],
"release_date": "2026-02-18T14:17:44.672000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:02+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters"
},
{
"cve": "CVE-2026-33001",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-03-18T16:02:14.310096+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2448645"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"known_not_affected": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33001"
},
{
"category": "external",
"summary": "RHBZ#2448645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33001"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33001"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"
}
],
"release_date": "2026-03-18T15:15:23.950000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-23T17:30:02+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Developer Tools - OpenShift Jenkins 4.16 upgrade to the latest. This update includes a newer OpenShift client (oc) version bundled in the image. If your Jenkins pipelines require a specific oc version, configure it explicitly using the Jenkins pipeline tools directive.",
"product_ids": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:10214"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:486c0dc417df5beebbdb4ee2a017a4d9407c908fe54f490536f01fc15392ca97_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:960e04991a991ed13884d7d8a7fec07700987d506f3abe5d133cea2c540e88bd_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:a41770290a3a672afc88cfae5beb3400efd65cbb0ce6e31375dc72b27c916190_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel9@sha256:cef039248b506b2025c497267785e0580fc41d5648680df0d6b4e80b9a8b8f96_s390x",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:0a28ecee68681bd1cf50af7dfe9e5c4f54243712b02c3fa9871ee53e42782630_amd64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:1002c6e3e9e893c566bc213b0e0bd9a4a2b9fa4f6e233602392577b51a3df2e4_arm64",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:ab75a59f66bebc8f744ab96322366731040091991b02c2273c3e80193ed2b454_ppc64le",
"OpenShift Developer Tools and Services 4.16:registry.redhat.io/ocp-tools-4/jenkins-rhel9@sha256:b453e75ddba6af9e051981f8c0002827b2344e1266036eefa153664fa45d4da7_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.