Jenkins is an open-source continuous integration tool written in Java. Jenkins provides continuous integration services for software development. It is a server-based system running in a servlet container such as Apache Tomcat. It supports SCM tools including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, ClearCase, and RTC, and can execute Apache Ant and Apache Maven-based projects as well as arbitrary shell scripts and Windows batch commands.

Jenkins

Spring Security is a powerful and highly customizable authentication and access-control framework for Java applications, particularly those built using Spring Framework. It provides comprehensive security services for Java EE-based enterprise software applications, offering features like authentication, authorization, and protection against common security vulnerabilities.

Spring Security

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-22732	CRITICAL	9.1	Java	org.springframework.security:spring-security-web	No	Yes	Mar 19, 2026
CVE-2026-33001	HIGH	8.8	Java	cpe:2.3:a:jenkins:jenkins	No	Yes	Mar 18, 2026
CVE-2026-33002	HIGH	7.5	Java	cpe:2.3:a:jenkins:jenkins	No	Yes	Mar 18, 2026
CVE-2026-1605	HIGH	7.5	Java	jetty12	No	Yes	Mar 05, 2026
CVE-2025-11143	MEDIUM	6.5	Java	apache-tika-3.0	No	Yes	Mar 05, 2026

CVE-2025-22234:
Jenkins vulnerability analysis and mitigation

5.3

Related Jenkins vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

CVE-2025-22234: Jenkins vulnerability analysis and mitigation