CVE-2026-33001

Summary

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

Affected Software

VendorProductVersion RangeStatus
Jenkins ProjectJenkins2.555 < *unaffected
Jenkins ProjectJenkins2.541.3 < 2.541.*unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives

Additional References

References