Attackers can trigger a network disruption through exploiting several weaknesses, as Jenkins has addressed numerous vulnerabilities.
Jenkins, the popular open-source automation server, has released critical updates to address four security vulnerabilities that were discovered in its system. These updates are necessary for administrators running Jenkins weekly releases up to 2.527 or the Long-Term Support (LTS) stream up to 2.516.2.
The updates, available in Jenkins 2.524 and LTS 2.516.3, address a high-severity issue (CVE-2025-5115) in the Winstone-Jetty HTTP/2 implementation bundled with Jenkins core. This flaw could lead to a denial of service attack known as "MadeYouReset." To mitigate the risk, administrators unable to upgrade should, at a minimum, disable HTTP/2 and restrict access to log files to prevent exploitation.
Another issue resides in the Jenkins console log formatter, which, in versions up to 2.527 (LTS 2.516.2 and earlier), does not sanitize user-controlled content before writing to system logs. This vulnerability allows attackers to insert carriage return or line feed characters or even Unicode "Trojan Source" codepoints into log entries, forging misleading log lines. To combat this, the update in weekly 2.528 and LTS 2.516.3 prefixes injected lines with indicators like [CR], [LF], or [CRLF].
Two medium-severity flaws (CVE-2025-59474, CVE-2025-59475) also affect the system. The first (CVE-2025-59474) allows unauthenticated users to list agent names in the sidepanel executors widget in Jenkins 2.527 and earlier (LTS 2.516.2 and earlier). The second (CVE-2025-59475) permits attackers with minimal privileges to discover which plugins are installed by exploiting a bug in the authenticated user profile dropdown.
To resolve these issues, the updates remove the vulnerable sidepanel and enforce permission checks in profile menus in both Jenkins weekly 2.528 and LTS 2.516.3.
The security researchers who discovered and reported these problems include Daniel Beck (CloudBees, Inc.), Manuel Fernandez (Stackhopper Security), and IBM Cloud Red Team members Robert Houtenbrink, Faris Mohammed, and Harsh Yadav.
To ensure the security of their Jenkins installations, administrators are advised to upgrade immediately to weekly releases 2.528 and LTS 2.516.3. Additionally, administrators are encouraged to use log viewers that highlight unusual characters and restrict log access to trusted personnel.
These updates address not only the issues within Jenkins but also other recently discovered vulnerabilities in various systems. The team from Onapsis reported the SAP vulnerability CVE-2025-31324, Apple's security experts identified the WhatsApp iOS and macOS Zero-Day vulnerability CVE-2025-55177, and researchers uncovered the UEFI Secure Boot bypass vulnerability CVE-2024-7344 associated with the HybridPetya ransomware. Proofpoint and IT Pro observed the "Stealerium" malware infections, and researchers identified the Silver-Fox exploit involving signed Windows drivers.
In conclusion, the critical updates for Jenkins are essential for maintaining the security of Jenkins installations. Administrators are urged to upgrade as soon as possible to ensure the protection of their systems from potential attacks.
Read also:
- Companies exercise prudence towards AI adoption, ensuring secure implementation: Exploring safeguards and strategies.
- Stolen Brain Data of Sinner and Leclerc (Yellow chroma), previously held in China, repurposed for military training purposes.
- Increased instances of Russian-originated disinformation on social media platforms detected following the shooting of Kirk
- Financial researchers at Carnegie urge immediate efforts to counteract cyber threats in the financial sector
