Red Hat Product Errata RHSA-2025:10092 - Security Advisory
Issued:
2025-07-01
Updated:
2025-07-01

RHSA-2025:10092 - Security Advisory

Synopsis

Important: Red Hat Product OCP Tools 4.18 OpenShift Jenkins security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for Openshift Jenkins is now available for Red Hat Product OCP
Tools 4.18. Red Hat Product Security has rated this update as having a
security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

  • jenkins-2-plugins: Potential DoS via stack exhaustion (incomplete fix for

CVE-2023-1370) (CVE-2024-57699)

  • jenkins: CVE-2025-22228: Spring Security BCryptPasswordEncoder does not

enforce maximum password length (CVE-2025-22228)

  • jenkins: Jetty HTTP/2 Header List Size Vulnerability (CVE-2025-1948)
  • jenkins: jackson-core Potential StackoverflowError (CVE-2025-52999)
  • jenkins-2-plugins: jackson-core Potential StackoverflowError

(CVE-2025-52999)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

Affected Products

  • OpenShift Developer Tools and Services 4.18 x86_64
  • OpenShift Developer Tools and Services 4.18 s390x
  • OpenShift Developer Tools and Services 4.18 ppc64le
  • OpenShift Developer Tools and Services 4.18 aarch64

Fixes

  • BZ - 2344073 - CVE-2024-57699 json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)
  • BZ - 2353507 - CVE-2025-22228 spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length
  • BZ - 2365137 - CVE-2025-1948 jetty-http2-common: Jetty HTTP/2 Header List Size Vulnerability
  • BZ - 2374804 - CVE-2025-52999 com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError

OpenShift Developer Tools and Services 4.18

SRPM
jenkins-2-plugins-4.18.1750846854-1.el9.src.rpm SHA-256: 7f22e522d61b9249c79585320057695f29b8ce31f931a14d96139ec21ee1e559
jenkins-2.504.2.1750846524-3.el9.src.rpm SHA-256: a2499703494be07b5254cd45f7f4f5ca411d8254a152057535d2b775ff9bc923
x86_64
jenkins-2-plugins-4.18.1750846854-1.el9.noarch.rpm SHA-256: da0567f53b19ef2d293be5def4b43dcc49d9d06b7f2c6c4de0e272a32fb6b6ec
jenkins-2.504.2.1750846524-3.el9.noarch.rpm SHA-256: 91ec8275556260d32b1c862f4809692aac8a5b565d1337c89067828955274f7c
s390x
jenkins-2-plugins-4.18.1750846854-1.el9.noarch.rpm SHA-256: da0567f53b19ef2d293be5def4b43dcc49d9d06b7f2c6c4de0e272a32fb6b6ec
jenkins-2.504.2.1750846524-3.el9.noarch.rpm SHA-256: 91ec8275556260d32b1c862f4809692aac8a5b565d1337c89067828955274f7c
ppc64le
jenkins-2-plugins-4.18.1750846854-1.el9.noarch.rpm SHA-256: da0567f53b19ef2d293be5def4b43dcc49d9d06b7f2c6c4de0e272a32fb6b6ec
jenkins-2.504.2.1750846524-3.el9.noarch.rpm SHA-256: 91ec8275556260d32b1c862f4809692aac8a5b565d1337c89067828955274f7c
aarch64
jenkins-2-plugins-4.18.1750846854-1.el9.noarch.rpm SHA-256: da0567f53b19ef2d293be5def4b43dcc49d9d06b7f2c6c4de0e272a32fb6b6ec
jenkins-2.504.2.1750846524-3.el9.noarch.rpm SHA-256: 91ec8275556260d32b1c862f4809692aac8a5b565d1337c89067828955274f7c

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.