Red Hat issued a security advisory (RHSA-2025:23491) for OpenShift Jenkins 4.20 within Red Hat OpenShift Developer Tools addressing two vulnerabilities (CVE-2025-4949 and CVE-2025-67635) categorized under CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-459 (Incomplete Cleanup). The advisory announces the release of an updated Jenkins 4.20 image that includes a newer OpenShift client (oc) version. The update is recommended to users to ensure security. No detailed technical exploit or patch information is provided beyond the recommendation to upgrade. There are no known exploits in the wild reported at this time.

The vulnerabilities affect Red Hat OpenShift Developer Tools - Openshift Jenkins 4.20 and could potentially allow security issues related to XML external entity processing and incomplete cleanup. The exact impact is not detailed, but the medium severity suggests moderate risk. No active exploitation is known.

Red Hat recommends that existing users of OpenShift Jenkins 4.20 upgrade to the latest available version which includes the updated OpenShift client (oc). If Jenkins pipelines require a specific oc version, users should explicitly configure it using the Jenkins pipeline tools directive. No other mitigation or workaround is provided. Patch status is confirmed as available via the updated image release.