Red Hat issued a security advisory (RHSA-2025:23486) for OpenShift Developer Tools - Openshift Jenkins 4.15, addressing two CVEs: CVE-2025-4949 and CVE-2025-67635. The advisory announces a security update that includes an updated OpenShift client (oc) version bundled in the Jenkins image. The vulnerabilities correspond to CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-459 (Incomplete Cleanup). The advisory recommends upgrading existing installations to the latest image version. No detailed technical exploit information or patch version numbers are provided. The affected product is Red Hat OpenShift Developer Tools and Services 4.15.

The vulnerabilities addressed have a medium severity rating. They relate to potential security weaknesses in the OpenShift Jenkins tooling environment, specifically involving XML external entity processing and incomplete cleanup issues. Exploitation could impact the security posture of Jenkins pipelines using OpenShift Developer Tools. No known exploits in the wild have been reported.

Red Hat recommends that users of OpenShift Developer Tools - Openshift Jenkins 4.15 upgrade to the latest available version that includes the updated OpenShift client (oc). If Jenkins pipelines require a specific oc version, users should explicitly configure it using the Jenkins pipeline tools directive. No other mitigation or workaround is specified. Patch status is not explicitly confirmed in the advisory; users should follow Red Hat's official update channels for the latest images and updates.