Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
References
| Link | Resource |
|---|---|
| https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3649 | Vendor Advisory |
Configurations
History
26 Jun 2026, 19:06
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Jenkins
Jenkins official Owasp Zap |
|
| References | () https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3649 - Vendor Advisory | |
| CPE | cpe:2.3:a:jenkins:official_owasp_zap:*:*:*:*:*:jenkins:*:* |
24 Jun 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
| CWE | CWE-610 |
24 Jun 2026, 14:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-24 14:17
Updated : 2026-06-26 19:06
NVD link : CVE-2026-57301
Mitre link : CVE-2026-57301
CVE.ORG link : CVE-2026-57301
JSON object : View
Products Affected
jenkins
- official_owasp_zap
CWE
CWE-610
Externally Controlled Reference to a Resource in Another Sphere
