{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67635", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2025-12-09T17:33:01.215Z", "datePublished": "2025-12-10T16:50:35.491Z", "dateUpdated": "2025-12-16T13:36:56.086Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Jenkins", "vendor": "Jenkins Project", "versions": [{"lessThan": "*", "status": "unaffected", "version": "2.541", "versionType": "maven"}, {"lessThan": "2.528.*", "status": "unaffected", "version": "2.528.3", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service."}], "credits": [{"lang": "en", "value": "Camilo Vera Vidales (https://www.linkedin.com/in/camilo-vera-vidales/)", "type": "finder"}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2025-12-16T13:36:56.086Z"}, "references": [{"name": "Jenkins Security Advisory 2025-12-10", "tags": ["vendor-advisory"], "url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3630"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "CWE-404 Improper Resource Shutdown or Release"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-10T17:33:51.868670Z", "id": "CVE-2025-67635", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-10T17:35:17.788Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-10T17:33:51.868670Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-10T17:14:17.297Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Camilo Vera Vidales (https://www.linkedin.com/in/camilo-vera-vidales/)"}], "affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"status": "unaffected", "version": "2.541", "lessThan": "*", "versionType": "maven"}, {"status": "unaffected", "version": "2.528.3", "lessThan": "2.528.*", "versionType": "maven"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3630", "name": "Jenkins Security Advisory 2025-12-10", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2025-12-16T13:36:56.086Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67635", "state": "PUBLISHED", "dateUpdated": "2025-12-16T13:36:56.086Z", "dateReserved": "2025-12-09T17:33:01.215Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2025-12-10T16:50:35.491Z", "assignerShortName": "jenkins"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "A276E9FE-7CB8-4B6B-A399-14C0E7B10BC4", "versionEndExcluding": "2.528.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "F2388D03-0340-4C73-97B7-FB06AB6E972B", "versionEndExcluding": "2.541", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service."}], "id": "CVE-2025-67635", "lastModified": "2025-12-17T17:39:45.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-10T17:15:55.950", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3630"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "org.jenkins-ci.main/jenkins-core: Jenkins HTTP connection mis-handling", "id": "2420998", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420998"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-459", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-67635", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}], "public_date": "2025-12-10T16:50:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-67635\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-67635\nhttps://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3630"], "threat_severity": "Moderate"}

{"created": "2025-12-10T21:33:13.919344+00:00", "updated": "2025-12-10T21:33:13.919381+00:00", "vendors": ["jenkins", "jenkins$PRODUCT$jenkins"]}