{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33001", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2026-03-17T15:04:07.615Z", "datePublished": "2026-03-18T15:15:23.950Z", "dateUpdated": "2026-03-19T12:58:23.233Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-03-18T15:15:23.950Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"version": "2.555", "versionType": "maven", "lessThan": "*", "status": "unaffected"}, {"version": "2.541.3", "versionType": "maven", "lessThan": "2.541.*", "status": "unaffected"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes."}], "references": [{"name": "Jenkins Security Advisory 2026-03-18", "url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-59", "lang": "en", "description": "CWE-59 Improper Link Resolution Before File Access ('Link Following')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T03:55:23.659873Z", "id": "CVE-2026-33001", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T12:58:23.233Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33001", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T03:55:23.659873Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59 Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T15:50:18.837Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"status": "unaffected", "version": "2.555", "lessThan": "*", "versionType": "maven"}, {"status": "unaffected", "version": "2.541.3", "lessThan": "2.541.*", "versionType": "maven"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657", "name": "Jenkins Security Advisory 2026-03-18", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-03-18T15:15:23.950Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33001", "state": "PUBLISHED", "dateUpdated": "2026-03-19T12:58:23.233Z", "dateReserved": "2026-03-17T15:04:07.615Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2026-03-18T15:15:23.950Z", "assignerShortName": "jenkins"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "74E8B1F1-D28F-4BC1-B50C-F736D7FA12B1", "versionEndExcluding": "2.541.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "D1012DE2-C6E3-4BEA-BA8E-C83B07D8DD25", "versionEndExcluding": "2.555", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.\nThis can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes."}], "id": "CVE-2026-33001", "lastModified": "2026-03-20T18:08:15.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-18T16:16:28.067", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives", "id": "2448645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448645"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By crafting malicious archives, an attacker can write files to arbitrary locations on the filesystem. This could enable the deployment of malicious scripts or plugins on the Jenkins controller, potentially leading to unauthorized code execution."], "name": "CVE-2026-33001", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}], "public_date": "2026-03-18T15:15:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33001\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33001\nhttps://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[2.555,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.541.3,2.542.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Jenkins", "source": "cna", "vendor": "Jenkins Project"}, "product": "jenkins", "vendor": "jenkins_project"}], "analysis": {"en": {"generated_at": "2026-03-20T19:24:46.095054+00:00", "value": {"mitigation_remediation": ["Upgrade Jenkins to a released version newer than 2.554 (or LTS 2.541.2) to eliminate the flaw.", "Apply any official patches issued by the Jenkins Project following the security advisory.", "Restrict Item/Configure permissions to trusted administrators only to limit who can submit archives.", "Disable or monitor the upload of tar and tar.gz files when not required for legitimate builds.", "Audit the filesystem for unexpected file writes and enforce strict access controls for the Jenkins controller process."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via arbitrary file write"}, "threat_synthesis": {"affected_systems": "The affected products are Jenkins instances powered by the Jenkins Project. Versions up to and including Jenkins 2.554 and the Long Term Support release 2.541.2 (and earlier) are vulnerable. Any instance running these releases in a non\u2011patched state is at risk.", "description_and_impact": "The vulnerability arises from Jenkins failing to safely resolve symbolic links when extracting tar and tar.gz archives. A beneficiary attacker can craft an archive that, when uploaded and extracted, overwrites arbitrary files on the controller filesystem. This permits the deployment of malicious scripts or plugins, enabling an attacker to execute code with the privileges of the Jenkins process. The flaw is classified as CWE\u201122 and CWE\u201159 and poses a significant threat to confidentiality, integrity and availability of the system.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers need the ability to upload or control the extraction of archives, typically requiring Item/Configure permission or the ability to influence agent processes. Once satisfied, the attacker can write files outside the Jenkins home directory, providing a foothold for code execution."}}}}, "created": "2026-03-19T08:56:36.117823+00:00", "updated": "2026-03-24T10:58:43.424035+00:00", "vendors": ["jenkins_project", "jenkins_project$PRODUCT$jenkins"]}