Critical Vulnerability Information HTTP/2 Denial of Service Vulnerability in Bundled Jetty CVE: CVE-2025-5115 Severity: High Description: Jenkins bundles Winstone-Jetty, which is vulnerable to a denial of service attack when using HTTP/2. This affects Jenkins 2.523 and earlier, LTS 2.516.2 and earlier. Fix: Upgrade to Jenkins 2.524 or LTS 2.516.3. Missing Permission Check Allows Obtaining Agent Names CVE: CVE-2025-59474 Severity: Medium Description: Jenkins 2.527 and earlier, LTS 2.516.2 and earlier do not perform a permission check in the sidepanel of a page accessible to users lacking Overall/Read permission. Fix: Upgrade to Jenkins 2.528 or LTS 2.516.3. Missing Permission Check in Authenticated Users' Profile Menu CVE: CVE-2025-59475 Severity: Medium Description: Jenkins 2.527 and earlier, LTS 2.516.2 and earlier do not perform a permission check for the authenticated user profile dropdown menu. Fix: Upgrade to Jenkins 2.528 or LTS 2.516.3. Log Message Injection Vulnerability CVE: CVE-2025-59476 Severity: Medium Description: The log formatter in Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not restrict characters that can be inserted into log messages. Fix: Upgrade to Jenkins 2.528 or LTS 2.516.3. Affected Versions Jenkins weekly up to and including 2.527 Jenkins LTS up to and including 2.516.2 Fix Jenkins weekly should be updated to version 2.528 Jenkins LTS should be updated to version 2.516.3