CVE-2026-42521

MEDIUM

Jenkins Project Jenkins Matrix Authorization Strategy Plugin < 3.2.9 - Information Disclosure

Title source: rule
STIX 2.1

Description

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
Jenkins Security Advisory 2026-04-29
https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3676

Scores

CVSS v3 6.5
EPSS 0.0025
EPSS Percentile 15.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-502
Status published
Products (4)
jenkins/matrix_authorization_strategy 2.0 beta1 (3 CPE variants)
jenkins/matrix_authorization_strategy 2.1 - 3.2.10
Jenkins Project/Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 - 3.2.9
org.jenkins-ci.plugins/matrix-auth 2.0-beta-1 - 3.2.10Maven
Published Apr 29, 2026
Tracked Since Apr 29, 2026