2448645 – (CVE-2026-33001) CVE-2026-33001 jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives

Bug 2448645 (CVE-2026-33001) - CVE-2026-33001 jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives

Summary: CVE-2026-33001 jenkins: Jenkins: Arbitrary file write and potential code exec...

Keywords:
Status:	NEW
Alias:	CVE-2026-33001
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-18 16:02 UTC by OSIDB Bzimport
Modified:	2026-03-19 11:37 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-18 16:02:39 UTC

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

Note You need to log in before you can comment on or make changes to this bug.