Detections
Analytics

Jenkins plugin Multiple Vulnerabilities (2026-03-18)

medium Nessus Plugin ID 302903

Synopsis

An application running on a remote web server host is affected by multiple vulnerabilities

Description

According to its self-reported version number, the version of Jenkins plugins running on the remote web server is affected by multiple vulnerabilities:

 - Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2026-33003)

 - Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes. (CVE-2026-33001)

 - Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. (CVE-2026-33004)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update Jenkins plugins to the following versions:
 - LoadNinja Plugin to version 2.2 or later

See vendor advisory for more details.

See Also

https://jenkins.io/security/advisory/2026-03-18

Plugin Details

Severity: Medium

ID: 302903

File Name: jenkins_security_advisory_2026-03-18_plugins.nasl

Version: 1.1

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 3/18/2026

Updated: 3/18/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-33001

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2026-33003

Vulnerability Information

CPE: cpe:/a:cloudbees:jenkins, cpe:/a:jenkins:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Ease: No known exploits are available

Patch Publication Date: 3/18/2026

Vulnerability Publication Date: 3/18/2026

Reference Information

CVE: CVE-2026-33001, CVE-2026-33003, CVE-2026-33004