{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-53437","assignerOrgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","state":"PUBLISHED","assignerShortName":"jenkins","dateReserved":"2026-06-09T14:26:44.788Z","datePublished":"2026-06-10T13:05:58.584Z","dateUpdated":"2026-06-30T03:18:42.669Z"},"containers":{"cna":{"providerMetadata":{"orgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","shortName":"jenkins","dateUpdated":"2026-06-10T13:05:58.584Z"},"affected":[{"vendor":"Jenkins Project","product":"Jenkins","versions":[{"version":"2.568","versionType":"maven","lessThan":"*","status":"unaffected"},{"version":"2.555.3","versionType":"maven","lessThan":"2.555.*","status":"unaffected"}],"defaultStatus":"affected"}],"descriptions":[{"lang":"en","value":"Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks."}],"references":[{"name":"Jenkins Security Advisory 2026-06-10","url":"https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3711+3755","tags":["vendor-advisory"]}]},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-601","lang":"en","description":"CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":4.3,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","integrityImpact":"LOW","userInteraction":"REQUIRED","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-06-10T15:42:49.165047Z","id":"CVE-2026-53437","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-10T15:43:26.825Z"}},{"affected":[{"cpes":["cpe:/a:redhat:ocp_tools"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services","vendor":"Red Hat"}],"datePublic":"2026-06-10T13:05:58.584Z","descriptions":[{"lang":"en","value":"A flaw was found in Jenkins. This vulnerability allows a remote attacker to perform phishing attacks by crafting a malicious redirect URL. The flaw occurs because Jenkins improperly validates redirect URLs after login, specifically when tab or newline characters are present between the `//` in the URL. This can trick users into visiting malicious sites, potentially leading to credential theft or other security compromises."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-601","description":"URL Redirection to Untrusted Site ('Open Redirect')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-53437"},{"name":"RHBZ#2487544","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2487544"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53437.json"}],"timeline":[{"lang":"en","time":"2026-06-10T14:01:45.853Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-10T13:05:58.584Z","value":"Made public."}],"title":"jenkins: Jenkins: Phishing attack via improper redirect URL validation","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T03:18:42.669Z"}}]}}