{"api_version":"1","generated_at":"2026-06-25T11:33:11+00:00","cve":"CVE-2026-57284","urls":{"html":"https://cve.report/CVE-2026-57284","api":"https://cve.report/api/cve/CVE-2026-57284.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-57284","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-57284"},"summary":{"title":"CVE-2026-57284","description":"Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.","state":"PUBLISHED","assigner":"jenkins","published_at":"2026-06-24 14:17:34","updated_at":"2026-06-24 15:16:43"},"problem_types":["CWE-470","CWE-470 CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}}],"references":[{"url":"https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3677","name":"https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3677","refsource":"jenkinsci-cert@googlegroups.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-57284","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-57284","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Jenkins Project","product":"Jenkins Pipeline: Groovy Plugin","version":"affected 4331.v9d06ed4658ff maven","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-57284","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-24T13:59:08.756421Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-470","description":"CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-24T13:59:13.717Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Jenkins Pipeline: Groovy Plugin","vendor":"Jenkins Project","versions":[{"lessThanOrEqual":"4331.v9d06ed4658ff","status":"affected","version":"0","versionType":"maven"}]}],"descriptions":[{"lang":"en","value":"Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps."}],"providerMetadata":{"dateUpdated":"2026-06-24T13:20:06.419Z","orgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","shortName":"jenkins"},"references":[{"name":"Jenkins Security Advisory 2026-06-24","tags":["vendor-advisory"],"url":"https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3677"}]}},"cveMetadata":{"assignerOrgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","assignerShortName":"jenkins","cveId":"CVE-2026-57284","datePublished":"2026-06-24T13:20:06.419Z","dateReserved":"2026-06-24T08:41:44.357Z","dateUpdated":"2026-06-24T13:59:13.717Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 14:17:34","lastModifiedDate":"2026-06-24 15:16:43","problem_types":["CWE-470","CWE-470 CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-24T13:59:08.756421Z","id":"CVE-2026-57284","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"57284","Ordinal":"1","Title":"CVE-2026-57284","CVE":"CVE-2026-57284","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"57284","Ordinal":"1","NoteData":"Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.","Type":"Description","Title":"CVE-2026-57284"}]}}}