Security Advisory - Published 2026-06-25 - Jenkins

Jenkins June 24 plugin batch: check scripts, workspaces, and controller activity

This Jenkins batch covers Script Security, External Workspace Manager, OWASP ZAP, and Assembla plugins. Patch plugins first, then review who can configure jobs, run sandboxed scripts, define custom workspaces, or trigger builds that touch the Jenkins controller.

Defensive scope: check Jenkins controllers you operate. This page avoids Groovy bypass examples, workspace traversal strings, and SSRF test steps.

Affected Jenkins plugins

CVE	Affected	Review	CVSS
CVE-2026-57280	Script Security <= 1402.v94c9ce464861	sandbox scripts	8.8
CVE-2026-57296	External Workspace Manager <= 1.3.2	workspace paths	8.8
CVE-2026-57301	OWASP ZAP Plugin <= 1.0.7	controller builds	8.8
CVE-2026-57281	Script Security <= 1402.v94c9ce464861	sandbox scripts	7.5
CVE-2026-57303	Assembla Plugin <= 1.4	Assembla config	7.1

Owner self-check

java -jar jenkins-cli.jar -s https://jenkins.example/ list-plugins | egrep 'script-security|external-workspace-manager|zap|assembla'
grep -Rni 'script-security\\|ScriptApproval\\|exwsAllocate\\|OWASP ZAP\\|Assembla\\|controller' $JENKINS_HOME/logs $JENKINS_HOME/jobs 2>/dev/null | tail -220
find $JENKINS_HOME/jobs -type f -mtime -14 2>/dev/null | egrep 'config.xml|build.xml|log$' | head -160

What to review

Installed plugin versions and whether the June 24 advisory fixes are applied.
Users with Item/Configure, Job/Configure, Script approval, or Pipeline authoring access.
Recent Pipeline edits, sandboxed Groovy scripts, script approvals, and rejected signatures.
External workspace paths, OWASP ZAP job configuration, Assembla server configuration, and controller-side build activity.

Safe fix path

Update affected Jenkins plugins from the June 24, 2026 advisory.
Temporarily restrict users who can configure jobs or run sandboxed scripts during review.
Preserve controller logs, job config history, and build logs before cleanup.
Rotate Jenkins credentials if controller files, secrets, or plugin configurations may have been exposed.

Repair help

Use Ping7 CVE Repair when Jenkins job configs changed, controller builds ran unexpectedly, or script approvals need incident review.

References

Author: Ping7 security team - Published: 2026-06-25 - Jenkins plugin CVE batch - Defensive self-check only.