Jenkins Security Advisory: DoS, Info Disclosure, and Log Injection (CVE-2025-5115, CVE-2025-59474, CVE-2025-59475)

Critical Vulnerability Information HTTP/2 denial of service vulnerability in bundled Jetty CVE: SECURITY-3618 / CVE-2025-5115 Severity: High (CVSS) Description: Jenkins 2.523 and earlier, LTS 2.516.2 and earlier bundle versions of Jetty affected by the security vulnerability CVE-2025-5115 ("MadeYouLease"). This vulnerability allows unauthenticated attackers to cause a denial of service. Affected Versions: Jenkins weekly up to and including 2.527; Jenkins LTS up to and including 2.516.2 Fix: Jenkins weekly should be updated to version 2.528; Jenkins LTS should be updated to version 2.516.3 Missing permission check allows obtaining agent names CVE: SECURITY-3594 / CVE-2025-59474 Severity: Medium (CVSS) Description: Jenkins 2.527 and earlier, LTS 2.516.2 and earlier do not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission. This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget. Affected Versions: Jenkins weekly up to and including 2.527; Jenkins LTS up to and including 2.516.2 Fix: Jenkins weekly should be updated to version 2.528; Jenkins LTS should be updated to version 2.516.3 Missing permission check in authenticated users' profile menu CVE: SECURITY-3625 / CVE-2025-59475 Severity: Medium (CVSS) Description: Jenkins 2.527 and earlier, LTS 2.516.2 and earlier do not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu. Affected Versions: Jenkins weekly up to and including 2.527; Jenkins LTS up to and including 2.516.2 Fix: Jenkins weekly should be updated to version 2.528; Jenkins LTS should be updated to version 2.516.3 Log message injection vulnerability CVE: SECURITY-3424 / CVE-2025-59476 Severity: Medium (CVSS) Description: In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output does not restrict or transform the characters that can be inserted from user-specified content in log messages. This allows attackers to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output. Affected Versions: Jenkins weekly up to and including 2.527; Jenkins LTS up to and including 2.516.2 Fix: Jenkins weekly should be updated to version 2.528; Jenkins LTS should be updated to version 2.516.3

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: DoS, Info Disclosure, and Log Injection (CVE-2025-5115, CVE-2025-59474, CVE-2025-59475)