Detections
Analytics
Jenkins LTS < 2.541.3 / Jenkins weekly < 2.555 Multiple Vulnerabilities
high Nessus Plugin ID 302902
Synopsis
An application running on a remote web server host is affected by a vulnerabilityDescription
According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.541.3 or Jenkins weekly prior to 2.555. It is, therefore, affected by multiple vulnerabilities:- Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation. (CVE-2026-33002)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade Jenkins weekly to version 2.555 or later, or Jenkins LTS to version 2.541.3 or later.See Also
Plugin Details
Severity: High
ID: 302902
File Name: jenkins_2_555.nasl
Version: 1.1
Type: combined
Agent: windows, macosx, unix
Family: CGI abuses
Published: 3/18/2026
Updated: 3/18/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 7.6
Temporal Score: 5.6
Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2026-33002
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:jenkins:jenkins, cpe:/a:cloudbees:jenkins
Required KB Items: installed_sw/Jenkins
Exploit Ease: No known exploits are available
Patch Publication Date: 3/18/2026
Vulnerability Publication Date: 3/18/2026
Reference Information
CVE: CVE-2026-33002