[GHSA-93qh-vwrm-c5pw] Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1...#8006
Conversation
github-actions
Bot
changed the base branch from
main
to
lohitkolluri/advisory-improvement-8006
advisory-database
Bot
merged commit aa9fec7
into
lohitkolluri/advisory-improvement-8006
|
Hi @lohitkolluri! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
@lohitkolluri Please don't declare LTS releases to be affected when they're not. |
|
Hey @daniel-beck Thanks for pointing that out. This was actually my first contribution to the Advisory Database. I gathered the information from multiple sources discussing the vulnerability, and some of them indicated that those LTS releases were affected, so I included them in the advisory. I assumed the information had already been validated by the upstream sources I was referencing and didn't realize the affected-version mapping for the Jenkins LTS line was incorrect. I'll make sure to verify version ranges more carefully against the project's own guidance going forward. Sorry for the confusion, and thanks for the correction. |
|
For future reference, the Jenkins security advisory and the CVE metadata (https://www.cve.org/CVERecord?id=CVE-2026-53441) are the only authoritative sources, and both exclude 2.555.3 from the affected versions.
Could you provide references to claims that LTS 2.555.3 is affected? |
|
Thanks for the clarification. I should still have the references I used somewhere in my browser history or notes. I'll take another look and share them if I can find the exact sources that led me to that conclusion. I understand now that the Jenkins security advisory and the CVE metadata are the authoritative sources for affected versions, and I'll use those directly for future contributions. Thanks again for taking the time to point this out. I'll keep it in mind going forward. |
2 participants
Updates
Comments
Changes based on the official Jenkins Security Advisory 2026-06-10 (SECURITY-3731) at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3731. CVSS v3.1 vector and score from the advisory's own CVSS calculator link. CWE-79 assigned because this is a stored cross-site scripting vulnerability where user input is not sanitized before rendering as HTML. Maven package org.jenkins-ci.main:jenkins-core identified from the Jenkins project's Maven Central artifacts. Source code at https://github.com/jenkinsci/jenkins.