Full Report
Jenkins security advisory (AV26-629)
Analysis Summary
# Vulnerability: Jenkins Plugins Security Advisory (June 2026)
## CVE Details
*Note: Specific CVE IDs were not listed in the summary text provided, but the following issues were identified:*
- **CVE ID:** Pending/See References (IDs typically assigned per plugin)
- **CVSS Score:** Estimated 7.5 - 9.8 (High to Critical based on RCE/Path Traversal descriptions)
- **CWE:**
- CWE-611: Improper Restriction of XML External Entity Reference (XXE)
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-94: Improper Control of Generation of Code ('Code Injection'/RCE)
- CWE-693: Protection Mechanism Failure (Sandbox Bypass)
## Affected Systems
- **Products:** Jenkins Plugins (Assembla, External Workspace Manager, OWASP ZAP, Script Security)
- **Versions:**
- **Assembla Plugin:** Versions prior to 1.4
- **External Workspace Manager Plugin:** Versions prior to 1.3.2
- **OWASP ZAP Plugin:** Versions prior to 1.0.7
- **Script Security Plugin:** Versions prior to 1402.v94c9ce464861
- **Configurations:** Systems running Jenkins controller with the aforementioned plugins enabled.
## Vulnerability Description
This advisory covers multiple classes of vulnerabilities across four Jenkins plugins:
1. **Assembla Plugin (XXE):** Fails to restrict XML external entity references, allowing attackers to potentially read arbitrary files from the Jenkins controller or perform SSRF.
2. **External Workspace Manager Plugin (Path Traversal):** Improper validation of input allows for path traversal, potentially exposing or modifying files outside of the intended workspace.
3. **OWASP ZAP Plugin (RCE):** Builds executed directly on the Jenkins controller by this plugin can be manipulated to execute arbitrary code with the permissions of the Jenkins process.
4. **Script Security Plugin (Sandbox/Security Bypass):** Two vulnerabilities involving flaws in the sandbox implementation that allow scripts to escape restricted environments or bypass method-call restrictions.
## Exploitation
- **Status:** Not explicitly stated as "exploited in the wild" in the summary; however, PoCs often follow Jenkins advisories quickly.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (typically requires permissions to configure jobs or submit malicious files/scripts depending on the plugin).
## Impact
- **Confidentiality:** High (Ability to read sensitive files and source code)
- **Integrity:** High (Ability to modify files or execute arbitrary code)
- **Availability:** High (Potential for system-wide compromise or service disruption)
## Remediation
### Patches
Update the affected plugins via the Jenkins Update Center to the following versions or later:
- **Assembla Plugin:** 1.4
- **External Workspace Manager Plugin:** 1.3.2
- **OWASP ZAP Plugin:** 1.0.7
- **Script Security Plugin:** 1402.v94c9ce464861
### Workarounds
- **General:** Limit user permissions to create or configure jobs.
- **Script Security:** Manually review and clear any pending script approvals in the "In-process Script Approval" settings.
- **ZAP Plugin:** Move build execution from the Jenkins controller to isolated agents/nodes.
## Detection
- **Indicators of compromise:** Review Jenkins system logs for unusual path traversal patterns (e.g., `../`), unexpected XML parsing errors, or unauthorized script approvals.
- **Detection methods and tools:** Audit installed plugin versions against the vulnerable list using the Jenkins management dashboard.
## References
- Jenkins Security Advisory 2026-06-24: hxxps[://]www[.]jenkins[.]io/security/advisory/2026-06-24/
- Canadian Centre for Cyber Security (AV26-629): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/jenkins-security-advisory-av26-629
- Jenkins Security Advisories Archive: hxxps[://]www[.]jenkins[.]io/security/advisories/