Is CVE-2025-48734 impacting Jenkins LTS or is it a false positive?

mkarwin_atos · May 29, 2025, 8:58am

Whether v2.504.1 or v2.504.2, it appears all LTS releases are impacted by CVE-2025-48734 per recent Trivy scans, eg.:

Java (jar)
==========
Total: 2 (HIGH: 2, CRITICAL: 0)

┌───────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│                      Library                      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ commons-beanutils:commons-beanutils (jenkins.war) │ CVE-2025-48734 │ HIGH     │ fixed  │ 1.10.1            │ 1.11.0        │ Improper Access Control vulnerability in Apache Commons. A │
│                                                   │                │          │        │                   │               │ special...                                                 │
│                                                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-48734                 │
├───────────────────────────────────────────────────┤                │          │        ├───────────────────┤               │                                                            │
│ commons-beanutils:commons-beanutils               │                │          │        │ 1.9.4             │               │                                                            │
│ (jenkins-plugin-manager.jar)                      │                │          │        │                   │               │                                                            │
│                                                   │                │          │        │                   │               │                                                            │
└───────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Anyone knows if the described vulnerability is not applicable to any of the recent LTS releases and should be treated as a false-positive?
Or is it fixed in some other Jenkins version and a new LTS release is already scheduled to tackle this high vulnerability CVE by JAR/WAR packaging updated commons-beanutils?

NotMyFault · May 31, 2025, 3:13pm

If I remember correctly, Jenkins does not consider vulnerabilities in dependencies as valid, until there is a reproducible case submitted proven Jenkins is impacted by these. Commonly, you would just ignore these these warnings.

Topic		Replies	Views
Is Jenkins 2.492.3-lts impacted by CVE-2025-22228 or is it a false-positive? Using Jenkins question , sig-security	2	224	April 9, 2025
Is Jenkins 2.440.3 impacted by CVE-2024-22262? Using Jenkins docker , sig-security	1	1810	May 10, 2024
Apache Commons Text vulnerability CVE-2022-42889 Ask a question	3	2511	October 21, 2022
Info on Jenkins CVE Community	4	137	July 5, 2024
Mitigating CVE-2023-27898 XSS vulnerability in plugin manager and related Ask a question question , sig-security	1	937	March 16, 2023

Is CVE-2025-48734 impacting Jenkins LTS or is it a false positive?

Related topics