Primary

Context

Jenkins Arbitrary File Write Vulnerability via Symbolic Links in Archive Extraction

Vulnerability

Patched

A vulnerability exists in Jenkins versions through 2.554 and LTS through 2.541.2, where symbolic links are not properly managed during the extraction of .tar and .tar.gz files. This flaw allows crafted archives to write files to arbitrary locations on the filesystem, limited only by the file system access permissions of the user running Jenkins. Exploitation could lead to the execution of malicious scripts or the installation of harmful plugins on the Jenkins controller. The vulnerability can be exploited by attackers with Item/Configure permission or those who can control agent processes.

Impact

Successful exploitation allows for arbitrary file writing on the Jenkins controller, which could be used to execute malicious scripts or install harmful plugins.

Remediation

Users should update Jenkins to version 2.555 or LTS 2.541.3. Additionally, Jenkins administrators should remove permissions from the anonymous user.

Added: Mar 18, 2026, 4:27 PM

Updated: Mar 18, 2026, 4:27 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.8

exploitability

4.9

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

0.8

exploitability

4.9

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Arbitrary File Write Vulnerability via Symbolic Links in Archive Extraction

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating