Red Hat issued a security advisory (RHSA-2025:23487) for OpenShift Jenkins 4.12 within the OpenShift Developer Tools suite, addressing two vulnerabilities (CVE-2025-4949 and CVE-2025-67635) related to weaknesses categorized under CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-459 (Incomplete Cleanup). The update bundles a newer OpenShift client (oc) version. The advisory recommends upgrading existing installations to the latest image version. No known exploits in the wild have been reported. The vendor advisory does not specify detailed technical exploit mechanisms or CVSS scores.

The vulnerabilities affect Red Hat OpenShift Developer Tools - Openshift Jenkins 4.12 and could potentially allow security issues related to XML external entity processing and incomplete cleanup. The impact is rated medium by Red Hat. No known active exploitation has been reported. The update improves security posture by including a newer OpenShift client version.

Red Hat recommends that all users of OpenShift Jenkins 4.12 upgrade to the latest available version of the OpenShift Developer Tools image that includes the security update. If Jenkins pipelines require a specific OpenShift client (oc) version, users should explicitly configure this in their Jenkins pipeline tools directive. No additional mitigations are specified or required according to the vendor advisory.