Jenkins has released critical updates addressing four security flaws that unauthenticated and low-privileged attackers could exploit to disrupt service or glean sensitive configuration details.\u00a0<\/p>\n
Administrators running Jenkins weekly releases up to 2.527 or the Long-Term Support (LTS) stream up to 2.516.2 must upgrade to mitigate these risks.<\/p>\n
HTTP\/2 Denial of Service (CVE-2025-5115)<\/strong><\/h2>\nA high-severity issue (CVSS 3.1 A:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H) exists in the Winstone-Jetty HTTP\/2 implementation bundled with Jenkins core. When Jenkins is launched via an equivalent systemd service configuration, the outdated Jetty version is vulnerable to a denial of service<\/a> attack known as \u201cMadeYouReset.\u201d\u00a0<\/p>\n\n![\"Jenkins](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-105.png?resize=395%2C32&ssl=1\")
<\/figure>\n<\/div>\nUnauthenticated attackers can trigger unchecked HTTP\/2<\/a> frames to exhaust server resources, causing Jenkins to crash.\u00a0<\/p>\nThis flaw affects Jenkins 2.523 and earlier, and LTS 2.516.2 and earlier when HTTP\/2 is enabled. HTTP\/2 remains disabled by default in native installers and official Docker images, reads the advisory<\/a>.\u00a0<\/p>\nThe fixes in Jenkins 2.524 and LTS 2.516.3 update Jetty to version 12.0.25, removing the vulnerability. Administrators unable to upgrade immediately are strongly advised to disable HTTP\/2 support.<\/p>\n
Permission-Check Omissions (CVE-2025-59474, CVE-2025-59475)<\/strong><\/h2>\nTwo medium-severity flaws allow unauthorized enumeration of internal components. In the sidepanel executors widget, Jenkins 2.527 and earlier (LTS 2.516.2 and earlier) fail to enforce Overall\/Read permission, letting unauthenticated users list agent names (CVE-2025-59474).\u00a0<\/p>\n
Similarly, a bug in the authenticated user profile dropdown (CVE-2025-59475) permits attackers with minimal privileges to discover which plugins, such as the Credentials Plugin, are installed by inspecting menu entries.\u00a0<\/p>\n
Both issues are resolved in Jenkins weekly 2.528 and LTS 2.516.3, which remove the vulnerable sidepanel and enforce permission checks in profile menus.<\/p>\n
Log Message Injection (CVE-2025-59476)<\/strong><\/h2>\nJenkins\u2019 console log formatter in versions up to 2.527 (LTS 2.516.2 and earlier) does not sanitize user-controlled content before writing to system logs (jenkins.log and equivalents).\u00a0<\/p>\n
Attackers can insert carriage return or line feed characters or even Unicode \u201cTrojan Source\u201d codepoints\u2014into log entries, forging misleading log lines that hamper incident response.\u00a0<\/p>\n
The update in weekly 2.528 and LTS 2.516.3 prefixes injected lines with indicators like [CR], [LF], or [CRLF] >, but administrators are still advised to use log viewers that highlight unusual characters and restrict log access to trusted personnel.<\/p>\n\n\n\n\nCVE<\/strong><\/td>\nTitle<\/strong><\/td>\nCVSS 3.1 Score<\/strong><\/td>\nSeverity<\/strong><\/td>\n<\/tr>\n\nCVE-2025-5115<\/td>\n HTTP\/2 denial of service in bundled Jetty<\/td>\n 7.5<\/td>\n High<\/td>\n<\/tr>\n \nCVE-2025-59474<\/td>\n Missing permission check allows obtaining agent names<\/td>\n 5.3<\/td>\n Medium<\/td>\n<\/tr>\n \nCVE-2025-59475<\/td>\n Missing permission check in authenticated users\u2019 profile menu<\/td>\n 4.6<\/td>\n Medium<\/td>\n<\/tr>\n \nCVE-2025-59476<\/td>\n Log message injection vulnerability<\/td>\n 4.4<\/td>\n Medium<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\nMitigations<\/strong><\/h2>\nAll Jenkins users should upgrade immediately: weekly releases to 2.528 and LTS to 2.516.3.\u00a0<\/p>\n
These versions collectively address the high-severity HTTP\/2 DoS (CVE-2025-5115) and the medium-severity permission-check and log injection flaws (CVE-2025-59474; CVE-2025-59475; CVE-2025-59476).\u00a0<\/p>\n
The security researchers Daniel Beck (CloudBees, Inc.), Manuel Fernandez (Stackhopper Security), and IBM Cloud Red Team members Robert Houtenbrink, Faris Mohammed, and Harsh Yadav reported these issues.\u00a0<\/p>\n
Administrators unable to upgrade should, at a minimum, disable HTTP\/2 and restrict access to log files to prevent exploitation.<\/p>\n
Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\nThe post Jenkins Patches Multiple Vulnerabilities that Allow Attackers to Cause a Denial of Service<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
<\/figure>\n<\/div>\nUnauthenticated attackers can trigger unchecked HTTP\/2<\/a> frames to exhaust server resources, causing Jenkins to crash.\u00a0<\/p>\n This flaw affects Jenkins 2.523 and earlier, and LTS 2.516.2 and earlier when HTTP\/2 is enabled. HTTP\/2 remains disabled by default in native installers and official Docker images, reads the advisory<\/a>.\u00a0<\/p>\n The fixes in Jenkins 2.524 and LTS 2.516.3 update Jetty to version 12.0.25, removing the vulnerability. Administrators unable to upgrade immediately are strongly advised to disable HTTP\/2 support.<\/p>\n Two medium-severity flaws allow unauthorized enumeration of internal components. In the sidepanel executors widget, Jenkins 2.527 and earlier (LTS 2.516.2 and earlier) fail to enforce Overall\/Read permission, letting unauthenticated users list agent names (CVE-2025-59474).\u00a0<\/p>\n Similarly, a bug in the authenticated user profile dropdown (CVE-2025-59475) permits attackers with minimal privileges to discover which plugins, such as the Credentials Plugin, are installed by inspecting menu entries.\u00a0<\/p>\n Both issues are resolved in Jenkins weekly 2.528 and LTS 2.516.3, which remove the vulnerable sidepanel and enforce permission checks in profile menus.<\/p>\n Jenkins\u2019 console log formatter in versions up to 2.527 (LTS 2.516.2 and earlier) does not sanitize user-controlled content before writing to system logs (jenkins.log and equivalents).\u00a0<\/p>\n Attackers can insert carriage return or line feed characters or even Unicode \u201cTrojan Source\u201d codepoints\u2014into log entries, forging misleading log lines that hamper incident response.\u00a0<\/p>\n The update in weekly 2.528 and LTS 2.516.3 prefixes injected lines with indicators like [CR], [LF], or [CRLF] >, but administrators are still advised to use log viewers that highlight unusual characters and restrict log access to trusted personnel.<\/p>\n All Jenkins users should upgrade immediately: weekly releases to 2.528 and LTS to 2.516.3.\u00a0<\/p>\n These versions collectively address the high-severity HTTP\/2 DoS (CVE-2025-5115) and the medium-severity permission-check and log injection flaws (CVE-2025-59474; CVE-2025-59475; CVE-2025-59476).\u00a0<\/p>\n The security researchers Daniel Beck (CloudBees, Inc.), Manuel Fernandez (Stackhopper Security), and IBM Cloud Red Team members Robert Houtenbrink, Faris Mohammed, and Harsh Yadav reported these issues.\u00a0<\/p>\n Administrators unable to upgrade should, at a minimum, disable HTTP\/2 and restrict access to log files to prevent exploitation.<\/p>\n Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post Jenkins Patches Multiple Vulnerabilities that Allow Attackers to Cause a Denial of Service<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nPermission-Check Omissions (CVE-2025-59474, CVE-2025-59475)<\/strong><\/h2>\n
Log Message Injection (CVE-2025-59476)<\/strong><\/h2>\n
\n\n
\n CVE<\/strong><\/td>\n Title<\/strong><\/td>\n CVSS 3.1 Score<\/strong><\/td>\n Severity<\/strong><\/td>\n<\/tr>\n \n CVE-2025-5115<\/td>\n HTTP\/2 denial of service in bundled Jetty<\/td>\n 7.5<\/td>\n High<\/td>\n<\/tr>\n \n CVE-2025-59474<\/td>\n Missing permission check allows obtaining agent names<\/td>\n 5.3<\/td>\n Medium<\/td>\n<\/tr>\n \n CVE-2025-59475<\/td>\n Missing permission check in authenticated users\u2019 profile menu<\/td>\n 4.6<\/td>\n Medium<\/td>\n<\/tr>\n \n CVE-2025-59476<\/td>\n Log message injection vulnerability<\/td>\n 4.4<\/td>\n Medium<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Mitigations<\/strong><\/h2>\n