Whether v2.504.1 or v2.504.2, it appears all LTS releases are impacted by CVE-2025-48734 per recent Trivy scans, eg.:
Java (jar)
==========
Total: 2 (HIGH: 2, CRITICAL: 0)
┌───────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ commons-beanutils:commons-beanutils (jenkins.war) │ CVE-2025-48734 │ HIGH │ fixed │ 1.10.1 │ 1.11.0 │ Improper Access Control vulnerability in Apache Commons. A │
│ │ │ │ │ │ │ special... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-48734 │
├───────────────────────────────────────────────────┤ │ │ ├───────────────────┤ │ │
│ commons-beanutils:commons-beanutils │ │ │ │ 1.9.4 │ │ │
│ (jenkins-plugin-manager.jar) │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└───────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Anyone knows if the described vulnerability is not applicable to any of the recent LTS releases and should be treated as a false-positive?
Or is it fixed in some other Jenkins version and a new LTS release is already scheduled to tackle this high vulnerability CVE by JAR/WAR packaging updated commons-beanutils
?