Jenkins Security Advisory: HTTP/2 DoS, Missing Permission Checks, Log Injection (CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476)

Critical Vulnerability Information HTTP/2 Denial of Service Vulnerability in Bundled Jetty CVE: SECURITY-3618 / CVE-2025-5115 Severity: High (CVSS) Description: Jenkins bundles Windstone-Jetty, which is vulnerable to a denial of service attack when using HTTP/2. This affects Jenkins versions 2.523 and earlier, LTS 2.516.2 and earlier. Affected Versions: Jenkins weekly up to and including 2.527; Jenkins LTS up to and including 2.516.2. Fix: Update to Jenkins weekly version 2.528 or Jenkins LTS version 2.516.3. Missing Permission Check Allows Obtaining Agent Names CVE: SECURITY-3594 / CVE-2025-59474 Severity: Medium (CVSS) Description: Jenkins versions 2.527 and earlier, LTS 2.516.2 and earlier do not perform a permission check in the sidepanel of a page accessible to users lacking Overall/Read permission. Affected Versions: Jenkins weekly up to and including 2.527; Jenkins LTS up to and including 2.516.2. Fix: Update to Jenkins weekly version 2.528 or Jenkins LTS version 2.516.3. Missing Permission Check in Authenticated Users' Profile Menu CVE: SECURITY-3625 / CVE-2025-59475 Severity: Medium (CVSS) Description: Jenkins versions 2.527 and earlier, LTS 2.516.2 and earlier do not perform a permission check for the authenticated user profile dropdown menu. Affected Versions: Jenkins weekly up to and including 2.527; Jenkins LTS up to and including 2.516.2. Fix: Update to Jenkins weekly version 2.528 or Jenkins LTS version 2.516.3. Log Message Injection Vulnerability CVE: SECURITY-3424 / CVE-2025-59476 Severity: Medium (CVSS) Description: The log formatter in Jenkins versions 2.527 and earlier, LTS 2.516.2 and earlier does not restrict characters that can be inserted into log messages. Affected Versions: Jenkins weekly up to and including 2.527; Jenkins LTS up to and including 2.516.2. Fix: Update to Jenkins weekly version 2.528 or Jenkins LTS version 2.516.3.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: HTTP/2 DoS, Missing Permission Checks, Log Injection (CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476)