Is Jenkins 2.492.3-lts impacted by CVE-2025-22228 or is it a false-positive?

Using Jenkins
,
1

The latest Jenkins LTS release (2.492.3-lts) from April 2, 2025, has a Trivy detectable jenkins.war vulnerability of:

Java (jar)
==========
Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│                       Library                       │ Vulnerability  │ Severity │ Status │ Installed Version │                    Fixed Version                     │                            Title                            │
├─────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-crypto │ CVE-2025-22228 │ HIGH     │ fixed  │ 6.4.2             │ 6.3.8, 6.4.4, 6.2.10, 6.1.14, 6.0.16, 5.8.18, 5.7.16 │ spring-security-core: Spring Security BCryptPasswordEncoder │
│ (jenkins.war)                                       │                │          │        │                   │                                                      │ does not enforce maximum password length                    │
│                                                     │                │          │        │                   │                                                      │ https://avd.aquasec.com/nvd/cve-2025-22228                  │
└─────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────┘

This issue has originally been registered in CVE databases March 19, 2025, and yet there’s no mention of it in Jenkins Security Advisories for March or April 2025. The 2.504 weekly release from the same day does not show this vulnerability.
Is the LTS version detected vulnerability a false-positive?
If not, can we update that spring-security-crypto on our end in the released container image? Or is a fix for LTS variant still in the works and we should be expecting it very soon (if so, when)?

1 Like
2

It’s not technically a false positive finding, as an affected release of Spring Security is included in Jenkins 2.492.3. We’re not using that implementation of bcrypt though, and besides that it’s just not a particularly relevant vulnerability. Or are any of your users known to use passwords longer than 72 bytes UTF-8? Do your password policies require that?

If you are concerned about (barely) outdated dependencies, I can recommend switching to weekly releases. We’re pretty good at updating most dependencies fairly quickly, so that should take care of most such findings.

3

Thanks @danielbeck, so one can treat this finding as a not_affected (in CycloneDX v1.6 Vulnerabilities Analysis terms) and potentially an official fix with a bump in LTS will be released within next LTS releases?
I was considering switching to weekly releases, but in my environment Jenkins deployment entails a lot of extra semi-automated and automated processing which would need to be adapted to the weekly images scheme, and that means some time… Thus, I wanted to ask here about this high vulnerability impact on the tool in question as it would be simpler to temporarily mark this finding as not impacting due to no usage of problematic method.