Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (jenkins).
CVSS VectorVendor: jenkins
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 13 maven packages depend on org.jenkins-ci.main:jenkins-core (13 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.555.
DescriptionCVE.org
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
AnalysisAI
Jenkins versions 2.554 and earlier (LTS 2.541.2 and earlier) contain a path traversal vulnerability in their handling of tar and tar.gz archive extraction that fails to safely process symbolic links, allowing attackers to write files to arbitrary filesystem locations. Attackers with Item/Configure permission or control over Jenkins agent processes can exploit this to deploy malicious scripts and plugins on the Jenkins controller, achieving code execution with the privileges of the Jenkins process. The vulnerability is particularly concerning because it affects the core Jenkins application and enables privilege escalation through plugin installation mechanisms.
Technical ContextAI
The vulnerability exists in Jenkins' archive extraction functionality (CPE: cpe:2.3:a:jenkins_project:jenkins:*:*:*:*:*:*:*:*) and stems from improper validation of symbolic links during tar archive processing. This is a classic path traversal/directory traversal issue (related to CWE-22: Improper Limitation of a Pathname to a Restricted Directory) where the application fails to canonicalize or validate symlink targets before extracting archive contents. When Jenkins processes a crafted tar or tar.gz file containing malicious symbolic links, it follows those links without verification, allowing an attacker to write files outside the intended extraction directory. The vulnerability is particularly dangerous because Jenkins uses archive extraction for plugin installation and agent file transfers, two critical operational pathways that would naturally be trusted by system administrators.
RemediationAI
Immediately upgrade to patched versions: Jenkins 2.555 or later, or Jenkins LTS 2.542.1 or later, as released by the Jenkins project following the advisory at https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657. Do not delay this patching—the vulnerability is in core functionality used during normal plugin installation and agent operations. For organizations unable to patch immediately, implement compensating controls: restrict Item/Configure permission to only trusted users via Jenkins' Authorization Strategy settings, audit all users with agent-related permissions, monitor agent connections for suspicious activity, and temporarily disable remote agent connections if feasible. Additionally, audit recent archive extractions in Jenkins job logs and agent-controller communications to identify potential exploitation. After patching, review installed plugins for any suspicious entries that may have been added during the vulnerability window.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12843
GHSA-r6qv-frpc-q66c