Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-30945 (GCVE-0-2022-30945)
Vulnerability from cvelistv5 – Published: 2022-05-17 14:05 – Updated: 2024-08-03 07:03
VLAI
EPSS
Summary
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.
Severity
No CVSS data available.
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.jenkins.io/security/advisory/2022-05-… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2022/05/17/8 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Jenkins project | Jenkins Pipeline: Groovy Plugin |
Affected:
unspecified , ≤ 2689.v434009a_31b_f1
(custom)
Unaffected: 2683.2687.vb_0cc3f973f06 Unaffected: 2.94.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
},
{
"name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Pipeline: Groovy Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "2689.v434009a_31b_f1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2683.2687.vb_0cc3f973f06"
},
{
"status": "unaffected",
"version": "2.94.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T14:21:39.109Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
},
{
"name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2022-30945",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Pipeline: Groovy Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2689.v434009a_31b_f1"
},
{
"version_affected": "!",
"version_value": "2683.2687.vb_0cc3f973f06"
},
{
"version_affected": "!",
"version_value": "2.94.4"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-693: Protection Mechanism Failure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359",
"refsource": "CONFIRM",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
},
{
"name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2022-30945",
"datePublished": "2022-05-17T14:05:37.000Z",
"dateReserved": "2022-05-16T00:00:00.000Z",
"dateUpdated": "2024-08-03T07:03:40.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-30945",
"date": "2026-05-26",
"epss": "0.00445",
"percentile": "0.63563"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jenkins:pipeline\\\\:_groovy:*:*:*:*:*:jenkins:*:*\", \"versionEndExcluding\": \"2689.v434009a_31b_f1\", \"matchCriteriaId\": \"B2F9F190-63A9-4B22-B99E-BA93EC46ED7A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.\"}, {\"lang\": \"es\", \"value\": \"Jenkins Pipeline: Groovy Plugin versiones 2689.v434009a_31b_f1 y anteriores, permite cargar cualquier archivo fuente Groovy en el classpath de Jenkins y de los plugins de Jenkins en pipelines de sandbox\"}]",
"id": "CVE-2022-30945",
"lastModified": "2024-11-21T07:03:36.430",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 8.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 6.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2022-05-17T15:15:08.647",
"references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/17/8\", \"source\": \"jenkinsci-cert@googlegroups.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359\", \"source\": \"jenkinsci-cert@googlegroups.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/05/17/8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "jenkinsci-cert@googlegroups.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-30945\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2022-05-17T15:15:08.647\",\"lastModified\":\"2024-11-21T07:03:36.430\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.\"},{\"lang\":\"es\",\"value\":\"Jenkins Pipeline: Groovy Plugin versiones 2689.v434009a_31b_f1 y anteriores, permite cargar cualquier archivo fuente Groovy en el classpath de Jenkins y de los plugins de Jenkins en pipelines de sandbox\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:pipeline\\\\:_groovy:*:*:*:*:*:jenkins:*:*\",\"versionEndExcluding\":\"2689.v434009a_31b_f1\",\"matchCriteriaId\":\"B2F9F190-63A9-4B22-B99E-BA93EC46ED7A\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/05/17/8\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/05/17/8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
CNVD-2022-49956
Vulnerability from cnvd - Published: 2022-07-07
VLAI
Title
Jenkins Pipeline安全特征问题漏洞
Description
Jenkins Pipeline是一套插件,支持将持续交付管道实施和集成到Jenkins中。
Jenkins Pipeline: Groovy Plugin存在安全特征问题漏洞,攻击者可利用该漏洞在沙盒管道中加载Jenkins和其插件的类路径上的任何Groovy源文件。
Severity
中
Patch Name
Jenkins Pipeline安全特征问题漏洞的补丁
Patch Description
Jenkins Pipeline是一套插件,支持将持续交付管道实施和集成到Jenkins中。
Jenkins Pipeline: Groovy Plugin存在安全特征问题漏洞,攻击者可利用该漏洞在沙盒管道中加载Jenkins和其插件的类路径上的任何Groovy源文件。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-30945
Impacted products
| Name | Jenkins Pipeline: Groovy Plugin <=2689.v434009a_31b_f1 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-30945",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-30945"
}
},
"description": "Jenkins Pipeline\u662f\u4e00\u5957\u63d2\u4ef6\uff0c\u652f\u6301\u5c06\u6301\u7eed\u4ea4\u4ed8\u7ba1\u9053\u5b9e\u65bd\u548c\u96c6\u6210\u5230Jenkins\u4e2d\u3002\n\nJenkins Pipeline: Groovy Plugin\u5b58\u5728\u5b89\u5168\u7279\u5f81\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u6c99\u76d2\u7ba1\u9053\u4e2d\u52a0\u8f7dJenkins\u548c\u5176\u63d2\u4ef6\u7684\u7c7b\u8def\u5f84\u4e0a\u7684\u4efb\u4f55Groovy\u6e90\u6587\u4ef6\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-49956",
"openTime": "2022-07-07",
"patchDescription": "Jenkins Pipeline\u662f\u4e00\u5957\u63d2\u4ef6\uff0c\u652f\u6301\u5c06\u6301\u7eed\u4ea4\u4ed8\u7ba1\u9053\u5b9e\u65bd\u548c\u96c6\u6210\u5230Jenkins\u4e2d\u3002\r\n\r\nJenkins Pipeline: Groovy Plugin\u5b58\u5728\u5b89\u5168\u7279\u5f81\u95ee\u9898\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u6c99\u76d2\u7ba1\u9053\u4e2d\u52a0\u8f7dJenkins\u548c\u5176\u63d2\u4ef6\u7684\u7c7b\u8def\u5f84\u4e0a\u7684\u4efb\u4f55Groovy\u6e90\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Jenkins Pipeline\u5b89\u5168\u7279\u5f81\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Jenkins Pipeline: Groovy Plugin \u003c=2689.v434009a_31b_f1"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-30945",
"serverity": "\u4e2d",
"submitTime": "2022-05-19",
"title": "Jenkins Pipeline\u5b89\u5168\u7279\u5f81\u95ee\u9898\u6f0f\u6d1e"
}
FKIE_CVE-2022-30945
Vulnerability from fkie_nvd - Published: 2022-05-17 15:15 - Updated: 2024-11-21 07:03
Severity
Summary
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.
References
| URL | Tags | ||
|---|---|---|---|
| jenkinsci-cert@googlegroups.com | http://www.openwall.com/lists/oss-security/2022/05/17/8 | Mailing List, Third Party Advisory | |
| jenkinsci-cert@googlegroups.com | https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/05/17/8 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359 | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jenkins:pipeline\\:_groovy:*:*:*:*:*:jenkins:*:*",
"matchCriteriaId": "B2F9F190-63A9-4B22-B99E-BA93EC46ED7A",
"versionEndExcluding": "2689.v434009a_31b_f1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines."
},
{
"lang": "es",
"value": "Jenkins Pipeline: Groovy Plugin versiones 2689.v434009a_31b_f1 y anteriores, permite cargar cualquier archivo fuente Groovy en el classpath de Jenkins y de los plugins de Jenkins en pipelines de sandbox"
}
],
"id": "CVE-2022-30945",
"lastModified": "2024-11-21T07:03:36.430",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-17T15:15:08.647",
"references": [
{
"source": "jenkinsci-cert@googlegroups.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
},
{
"source": "jenkinsci-cert@googlegroups.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
}
],
"sourceIdentifier": "jenkinsci-cert@googlegroups.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-2XVX-RW9P-XGFC
Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-12-02 21:10
VLAI
Summary
Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Jenkins Pipeline: Groovy Plugin
Details
Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection.
In Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed.
The Jenkins security team has been unable to identify any Groovy source files in Jenkins core or plugins that would allow attackers to execute dangerous code. While the severity of this issue is declared as High due to the potential impact, successful exploitation is considered very unlikely.
Pipeline: Groovy Plugin 2692.v76b_089ccd026 restricts which Groovy source files can be loaded in Pipelines.
Groovy source files in public plugins intended to be executed in sandboxed pipelines have been identified and added to an allowlist. The new extension point org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist allows plugins to add specific Groovy source files to that allowlist if necessary, but creation of plugin-specific Pipeline DSLs is strongly discouraged.
Severity
7.5 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2689.v434009a"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins.workflow:workflow-cps"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2692.v76b"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-30945"
],
"database_specific": {
"cwe_ids": [
"CWE-434",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-02T21:10:55Z",
"nvd_published_at": "2022-05-17T15:15:00Z",
"severity": "HIGH"
},
"details": "Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection.\n\nIn Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed.\n\nThe Jenkins security team has been unable to identify any Groovy source files in Jenkins core or plugins that would allow attackers to execute dangerous code. While the severity of this issue is declared as High due to the potential impact, successful exploitation is considered very unlikely.\n\nPipeline: Groovy Plugin 2692.v76b_089ccd026 restricts which Groovy source files can be loaded in Pipelines.\n\nGroovy source files in public plugins intended to be executed in sandboxed pipelines have been identified and added to an allowlist. The new extension point `org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist` allows plugins to add specific Groovy source files to that allowlist if necessary, but creation of plugin-specific Pipeline DSLs is strongly discouraged.",
"id": "GHSA-2xvx-rw9p-xgfc",
"modified": "2022-12-02T21:10:55Z",
"published": "2022-05-18T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30945"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/workflow-cps-plugin/commit/76a7681702f42d65f77bbaa5463f146876ea62db"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/workflow-cps-plugin/commit/76b089ccd026b68012b0deb30c217395f7ca7dc2"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/workflow-cps-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Jenkins Pipeline: Groovy Plugin"
}
GSD-2022-30945
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-30945",
"description": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.",
"id": "GSD-2022-30945",
"references": [
"https://access.redhat.com/errata/RHSA-2023:0017"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-30945"
],
"details": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.",
"id": "GSD-2022-30945",
"modified": "2023-12-13T01:19:36.625249Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2022-30945",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Pipeline: Groovy Plugin",
"version": {
"version_data": [
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"lessThanOrEqual": "2689.v434009a_31b_f1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2683.2687.vb_0cc3f973f06"
},
{
"status": "unaffected",
"version": "2.94.4"
}
]
}
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359",
"refsource": "MISC",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
},
{
"name": "http://www.openwall.com/lists/oss-security/2022/05/17/8",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,2689.v434009a]",
"affected_versions": "All versions up to 2689.v434009a",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2022-12-02",
"description": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.",
"fixed_versions": [
"2692.v76b"
],
"identifier": "CVE-2022-30945",
"identifiers": [
"GHSA-2xvx-rw9p-xgfc",
"CVE-2022-30945"
],
"not_impacted": "All versions after 2689.v434009a",
"package_slug": "maven/org.jenkins-ci.plugins.workflow/workflow-cps",
"pubdate": "2022-05-18",
"solution": "Upgrade to version 2692.v76b or above.",
"title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-30945",
"https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359",
"http://www.openwall.com/lists/oss-security/2022/05/17/8",
"https://github.com/jenkinsci/workflow-cps-plugin/commit/76a7681702f42d65f77bbaa5463f146876ea62db",
"https://github.com/jenkinsci/workflow-cps-plugin/commit/76b089ccd026b68012b0deb30c217395f7ca7dc2",
"https://github.com/advisories/GHSA-2xvx-rw9p-xgfc"
],
"uuid": "5db7b499-31ee-401e-a07e-76181ca3c00e"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jenkins:pipeline\\:_groovy:*:*:*:*:*:jenkins:*:*",
"matchCriteriaId": "B2F9F190-63A9-4B22-B99E-BA93EC46ED7A",
"versionEndExcluding": "2689.v434009a_31b_f1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines."
},
{
"lang": "es",
"value": "Jenkins Pipeline: Groovy Plugin versiones 2689.v434009a_31b_f1 y anteriores, permite cargar cualquier archivo fuente Groovy en el classpath de Jenkins y de los plugins de Jenkins en pipelines de sandbox"
}
],
"id": "CVE-2022-30945",
"lastModified": "2023-12-21T21:54:14.583",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-17T15:15:08.647",
"references": [
{
"source": "jenkinsci-cert@googlegroups.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"
},
{
"source": "jenkinsci-cert@googlegroups.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
}
],
"sourceIdentifier": "jenkinsci-cert@googlegroups.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
RHSA-2023:0017
Vulnerability from csaf_redhat - Published: 2023-01-12 16:49 - Updated: 2026-03-21 04:22Summary
Red Hat Security Advisory: OpenShift Container Platform 4.8.56 packages and security update
Severity
Important
Notes
Topic: Red Hat OpenShift Container Platform release 4.8.56 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.56. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHBA-2023:0018
Security Fix(es):
* Pipeline Shared Groovy Libraries: Untrusted users can modify some
Pipeline libraries in Pipeline Shared Groovy Libraries Plugin
(CVE-2022-29047)
* Jenkins plugin: Sandbox bypass vulnerability through implicitly
allowlisted platform Groovy files in Pipeline: Groovy Plugin
(CVE-2022-30945)
* Jenkins plugin: Mercurial SCM plugin can check out from the controller
file system (CVE-2022-30948)
* jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step
Plugin (CVE-2022-34177)
* jenkins-plugin: Man-in-the-Middle (MitM) in
org.jenkins-ci.plugins:git-client (CVE-2022-36881)
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* Jenkins plugin: CSRF vulnerability in Script Security Plugin
(CVE-2022-30946)
* Jenkins plugin: User-scoped credentials exposed to other users by
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin
(CVE-2022-30954)
* jenkins: Observable timing discrepancy allows determining username
validity (CVE-2022-34174)
* jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin
(CVE-2022-34176)
* jenkins-plugin: Cross-site Request Forgery (CSRF) in
org.jenkins-ci.plugins:git (CVE-2022-36882)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36883)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36884)
* jenkins plugin: Non-constant time webhook signature comparison in GitHub
Plugin (CVE-2022-36885)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even with the Pipeline configured not to trust them.
7.3 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
A flaw was found in Jenkins Groovy Plugin. The plugin allows pipelines to load Groovy source files. The intent is to allow Global Shared Libraries to execute without sandbox protection. The issue is that the plugin allows any Groovy source files bundled with Jenkins core and plugins to be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed. No Groovy source files were found in Jenkins core or plugins that could result in attackers executing dangerous code; hence successful exploitation is considered highly unlikely.
8.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
4.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Jenkins plugin. Affected versions of the Jenkins Mercurial Plugin allow attackers who can configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system. This is accomplished by using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.
6.5 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.
6.5 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.
6.5 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the JUnit Jenkins plugin. The manipulation with an unknown input leads to a Cross-site scripting vulnerability, impacting the integrity. This flaw allows an attacker to inject arbitrary HTML and script code into the website.
5.4 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Pipeline Input Step Plugin. This issue affects the code of the component Archive File Handler. The manipulation of the argument file with a malicious input leads to a directory traversal vulnerability.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
A flaw was found in the Git-Client Jenkins plugin. The affected versions of the Jenkins Git client Plugin do not perform SSH host key verification when connecting to Git repositories via SSH, enabling Man-in-the-middle attacks.
8.1 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
8.8 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.
5.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.
5.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
References
97 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.8.56 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.8.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.56. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2023:0018\n\nSecurity Fix(es):\n\n* Pipeline Shared Groovy Libraries: Untrusted users can modify some\nPipeline libraries in Pipeline Shared Groovy Libraries Plugin\n(CVE-2022-29047)\n* Jenkins plugin: Sandbox bypass vulnerability through implicitly\nallowlisted platform Groovy files in Pipeline: Groovy Plugin\n(CVE-2022-30945)\n* Jenkins plugin: Mercurial SCM plugin can check out from the controller\nfile system (CVE-2022-30948)\n* jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step\nPlugin (CVE-2022-34177)\n* jenkins-plugin: Man-in-the-Middle (MitM) in\norg.jenkins-ci.plugins:git-client (CVE-2022-36881)\n* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)\n* Jenkins plugin: CSRF vulnerability in Script Security Plugin\n(CVE-2022-30946)\n* Jenkins plugin: User-scoped credentials exposed to other users by\nPipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin\n(CVE-2022-30954)\n* jenkins: Observable timing discrepancy allows determining username\nvalidity (CVE-2022-34174)\n* jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin\n(CVE-2022-34176)\n* jenkins-plugin: Cross-site Request Forgery (CSRF) in\norg.jenkins-ci.plugins:git (CVE-2022-36882)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36883)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36884)\n* jenkins plugin: Non-constant time webhook signature comparison in GitHub\nPlugin (CVE-2022-36885)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0017",
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2074855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074855"
},
{
"category": "external",
"summary": "2103548",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103548"
},
{
"category": "external",
"summary": "2103551",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103551"
},
{
"category": "external",
"summary": "2114755",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2114755"
},
{
"category": "external",
"summary": "2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "2116952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116952"
},
{
"category": "external",
"summary": "2119642",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119642"
},
{
"category": "external",
"summary": "2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "2119644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119644"
},
{
"category": "external",
"summary": "2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "2119653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119653"
},
{
"category": "external",
"summary": "2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0017.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.56 packages and security update",
"tracking": {
"current_release_date": "2026-03-21T04:22:12+00:00",
"generator": {
"date": "2026-03-21T04:22:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2023:0017",
"initial_release_date": "2023-01-12T16:49:54+00:00",
"revision_history": [
{
"date": "2023-01-12T16:49:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-12T16:49:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-21T04:22:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.8",
"product": {
"name": "Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.8::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.1.1672840472-1.el8.src",
"product": {
"name": "jenkins-0:2.361.1.1672840472-1.el8.src",
"product_id": "jenkins-0:2.361.1.1672840472-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.1.1672840472-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.8.1672842762-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.1.1672840472-1.el8.noarch",
"product": {
"name": "jenkins-0:2.361.1.1672840472-1.el8.noarch",
"product_id": "jenkins-0:2.361.1.1672840472-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.1.1672840472-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.8.1672842762-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.1.1672840472-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch"
},
"product_reference": "jenkins-0:2.361.1.1672840472-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.1.1672840472-1.el8.src as a component of Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
},
"product_reference": "jenkins-0:2.361.1.1672840472-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src as a component of Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-2048",
"cwe": {
"id": "CWE-410",
"name": "Insufficient Resource Pool"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116952"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http2-server: Invalid HTTP/2 requests cause DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2048"
},
{
"category": "external",
"summary": "RHBZ#2116952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116952"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2048",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2048"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j"
}
],
"release_date": "2022-07-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http2-server: Invalid HTTP/2 requests cause DoS"
},
{
"cve": "CVE-2022-29047",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2022-04-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2074855"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even with the Pipeline configured not to trust them.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29047"
},
{
"category": "external",
"summary": "RHBZ#2074855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29047"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951",
"url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951"
}
],
"release_date": "2022-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-30945",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119642"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins Groovy Plugin. The plugin allows pipelines to load Groovy source files. The intent is to allow Global Shared Libraries to execute without sandbox protection. The issue is that the plugin allows any Groovy source files bundled with Jenkins core and plugins to be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed. No Groovy source files were found in Jenkins core or plugins that could result in attackers executing dangerous code; hence successful exploitation is considered highly unlikely.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30945"
},
{
"category": "external",
"summary": "RHBZ#2119642",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119642"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30945",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30945"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "plugin: Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-30946",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119643"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30946"
},
{
"category": "external",
"summary": "RHBZ#2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2022-30948",
"cwe": {
"id": "CWE-435",
"name": "Improper Interaction Between Multiple Correctly-Behaving Entities"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119644"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins plugin. Affected versions of the Jenkins Mercurial Plugin allow attackers who can configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system. This is accomplished by using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Mercurial SCM plugin can check out from the controller file system",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30948"
},
{
"category": "external",
"summary": "RHBZ#2119644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119644"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30948",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30948"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30948",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30948"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "plugin: Mercurial SCM plugin can check out from the controller file system"
},
{
"cve": "CVE-2022-30952",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119645"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30952"
},
{
"category": "external",
"summary": "RHBZ#2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30952",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30952"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30953",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119646"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30953"
},
{
"category": "external",
"summary": "RHBZ#2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30953"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30954",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119647"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: missing permission checks in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30954"
},
{
"category": "external",
"summary": "RHBZ#2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30954"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: missing permission checks in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-34174",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119653"
}
],
"notes": [
{
"category": "description",
"text": "In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Observable timing discrepancy allows determining username validity",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-34174"
},
{
"category": "external",
"summary": "RHBZ#2119653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119653"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-34174",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34174"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34174",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34174"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566"
}
],
"release_date": "2022-06-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins: Observable timing discrepancy allows determining username validity"
},
{
"cve": "CVE-2022-34176",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-07-04T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2103548"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JUnit Jenkins plugin. The manipulation with an unknown input leads to a Cross-site scripting vulnerability, impacting the integrity. This flaw allows an attacker to inject arbitrary HTML and script code into the website.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-34176"
},
{
"category": "external",
"summary": "RHBZ#2103548",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103548"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-34176",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34176"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34176",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34176"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2760",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2760"
}
],
"release_date": "2022-06-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2022-34177",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-07-04T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2103551"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Pipeline Input Step Plugin. This issue affects the code of the component Archive File Handler. The manipulation of the argument file with a malicious input leads to a directory traversal vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-34177"
},
{
"category": "external",
"summary": "RHBZ#2103551",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103551"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-34177",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34177"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34177",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34177"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705"
}
],
"release_date": "2022-06-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step Plugin"
},
{
"cve": "CVE-2022-36881",
"cwe": {
"id": "CWE-322",
"name": "Key Exchange without Entity Authentication"
},
"discovery_date": "2022-08-03T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2114755"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Git-Client Jenkins plugin. The affected versions of the Jenkins Git client Plugin do not perform SSH host key verification when connecting to Git repositories via SSH, enabling Man-in-the-middle attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36881"
},
{
"category": "external",
"summary": "RHBZ#2114755",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2114755"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36881"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-cm7j-p8hc-97vj",
"url": "https://github.com/advisories/GHSA-cm7j-p8hc-97vj"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1468",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1468"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client"
},
{
"cve": "CVE-2022-36882",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116840"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36882"
},
{
"category": "external",
"summary": "RHBZ#2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36882",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36882"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git"
},
{
"cve": "CVE-2022-36883",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119656"
}
],
"notes": [
{
"category": "description",
"text": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36883"
},
{
"category": "external",
"summary": "RHBZ#2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36884",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119657"
}
],
"notes": [
{
"category": "description",
"text": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36884"
},
{
"category": "external",
"summary": "RHBZ#2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36884",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36884"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36885",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119658"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Non-constant time webhook signature comparison in GitHub Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36885"
},
{
"category": "external",
"summary": "RHBZ#2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36885",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36885"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Non-constant time webhook signature comparison in GitHub Plugin"
}
]
}
RHSA-2023_0017
Vulnerability from csaf_redhat - Published: 2023-01-12 16:49 - Updated: 2024-11-22 21:22Summary
Red Hat Security Advisory: OpenShift Container Platform 4.8.56 packages and security update
Severity
Important
Notes
Topic: Red Hat OpenShift Container Platform release 4.8.56 is now available with
updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.56. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHBA-2023:0018
Security Fix(es):
* Pipeline Shared Groovy Libraries: Untrusted users can modify some
Pipeline libraries in Pipeline Shared Groovy Libraries Plugin
(CVE-2022-29047)
* Jenkins plugin: Sandbox bypass vulnerability through implicitly
allowlisted platform Groovy files in Pipeline: Groovy Plugin
(CVE-2022-30945)
* Jenkins plugin: Mercurial SCM plugin can check out from the controller
file system (CVE-2022-30948)
* jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step
Plugin (CVE-2022-34177)
* jenkins-plugin: Man-in-the-Middle (MitM) in
org.jenkins-ci.plugins:git-client (CVE-2022-36881)
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* Jenkins plugin: CSRF vulnerability in Script Security Plugin
(CVE-2022-30946)
* Jenkins plugin: User-scoped credentials exposed to other users by
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin
(CVE-2022-30954)
* jenkins: Observable timing discrepancy allows determining username
validity (CVE-2022-34174)
* jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin
(CVE-2022-34176)
* jenkins-plugin: Cross-site Request Forgery (CSRF) in
org.jenkins-ci.plugins:git (CVE-2022-36882)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36883)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36884)
* jenkins plugin: Non-constant time webhook signature comparison in GitHub
Plugin (CVE-2022-36885)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even with the Pipeline configured not to trust them.
7.3 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
A flaw was found in Jenkins Groovy Plugin. The plugin allows pipelines to load Groovy source files. The intent is to allow Global Shared Libraries to execute without sandbox protection. The issue is that the plugin allows any Groovy source files bundled with Jenkins core and plugins to be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed. No Groovy source files were found in Jenkins core or plugins that could result in attackers executing dangerous code; hence successful exploitation is considered highly unlikely.
8.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
4.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Jenkins plugin. Affected versions of the Jenkins Mercurial Plugin allow attackers who can configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system. This is accomplished by using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.
6.5 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.
6.5 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.
6.5 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the JUnit Jenkins plugin. The manipulation with an unknown input leads to a Cross-site scripting vulnerability, impacting the integrity. This flaw allows an attacker to inject arbitrary HTML and script code into the website.
5.4 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
A flaw was found in the Pipeline Input Step Plugin. This issue affects the code of the component Archive File Handler. The manipulation of the argument file with a malicious input leads to a directory traversal vulnerability.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
A flaw was found in the Git-Client Jenkins plugin. The affected versions of the Jenkins Git client Plugin do not perform SSH host key verification when connecting to Git repositories via SSH, enabling Man-in-the-middle attacks.
8.1 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Important
A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
8.8 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.
5.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.
5.3 (Medium)
Affected products
Fixed
2 products
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch | — | ||
| Unresolved product id: 8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src | — |
Threats
Impact
Moderate
References
97 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.8.56 is now available with\nupdates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.8.\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.56. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHBA-2023:0018\n\nSecurity Fix(es):\n\n* Pipeline Shared Groovy Libraries: Untrusted users can modify some\nPipeline libraries in Pipeline Shared Groovy Libraries Plugin\n(CVE-2022-29047)\n* Jenkins plugin: Sandbox bypass vulnerability through implicitly\nallowlisted platform Groovy files in Pipeline: Groovy Plugin\n(CVE-2022-30945)\n* Jenkins plugin: Mercurial SCM plugin can check out from the controller\nfile system (CVE-2022-30948)\n* jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step\nPlugin (CVE-2022-34177)\n* jenkins-plugin: Man-in-the-Middle (MitM) in\norg.jenkins-ci.plugins:git-client (CVE-2022-36881)\n* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)\n* Jenkins plugin: CSRF vulnerability in Script Security Plugin\n(CVE-2022-30946)\n* Jenkins plugin: User-scoped credentials exposed to other users by\nPipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin\n(CVE-2022-30954)\n* jenkins: Observable timing discrepancy allows determining username\nvalidity (CVE-2022-34174)\n* jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin\n(CVE-2022-34176)\n* jenkins-plugin: Cross-site Request Forgery (CSRF) in\norg.jenkins-ci.plugins:git (CVE-2022-36882)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36883)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36884)\n* jenkins plugin: Non-constant time webhook signature comparison in GitHub\nPlugin (CVE-2022-36885)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s)\nlisted in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0017",
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2074855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074855"
},
{
"category": "external",
"summary": "2103548",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103548"
},
{
"category": "external",
"summary": "2103551",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103551"
},
{
"category": "external",
"summary": "2114755",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2114755"
},
{
"category": "external",
"summary": "2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "2116952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116952"
},
{
"category": "external",
"summary": "2119642",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119642"
},
{
"category": "external",
"summary": "2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "2119644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119644"
},
{
"category": "external",
"summary": "2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "2119653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119653"
},
{
"category": "external",
"summary": "2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0017.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.8.56 packages and security update",
"tracking": {
"current_release_date": "2024-11-22T21:22:11+00:00",
"generator": {
"date": "2024-11-22T21:22:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2023:0017",
"initial_release_date": "2023-01-12T16:49:54+00:00",
"revision_history": [
{
"date": "2023-01-12T16:49:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-12T16:49:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T21:22:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.8",
"product": {
"name": "Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.8::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.1.1672840472-1.el8.src",
"product": {
"name": "jenkins-0:2.361.1.1672840472-1.el8.src",
"product_id": "jenkins-0:2.361.1.1672840472-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.1.1672840472-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.8.1672842762-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.1.1672840472-1.el8.noarch",
"product": {
"name": "jenkins-0:2.361.1.1672840472-1.el8.noarch",
"product_id": "jenkins-0:2.361.1.1672840472-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.1.1672840472-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.8.1672842762-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.1.1672840472-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch"
},
"product_reference": "jenkins-0:2.361.1.1672840472-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.1.1672840472-1.el8.src as a component of Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
},
"product_reference": "jenkins-0:2.361.1.1672840472-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src as a component of Red Hat OpenShift Container Platform 4.8",
"product_id": "8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.8.1672842762-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-2048",
"cwe": {
"id": "CWE-410",
"name": "Insufficient Resource Pool"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116952"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http2-server: Invalid HTTP/2 requests cause DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2048"
},
{
"category": "external",
"summary": "RHBZ#2116952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116952"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2048",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2048"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j"
}
],
"release_date": "2022-07-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http2-server: Invalid HTTP/2 requests cause DoS"
},
{
"cve": "CVE-2022-29047",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2022-04-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2074855"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even with the Pipeline configured not to trust them.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29047"
},
{
"category": "external",
"summary": "RHBZ#2074855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29047"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951",
"url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951"
}
],
"release_date": "2022-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-30945",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119642"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins Groovy Plugin. The plugin allows pipelines to load Groovy source files. The intent is to allow Global Shared Libraries to execute without sandbox protection. The issue is that the plugin allows any Groovy source files bundled with Jenkins core and plugins to be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed. No Groovy source files were found in Jenkins core or plugins that could result in attackers executing dangerous code; hence successful exploitation is considered highly unlikely.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30945"
},
{
"category": "external",
"summary": "RHBZ#2119642",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119642"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30945",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30945"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30945",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30945"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "plugin: Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-30946",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119643"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30946"
},
{
"category": "external",
"summary": "RHBZ#2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2022-30948",
"cwe": {
"id": "CWE-435",
"name": "Improper Interaction Between Multiple Correctly-Behaving Entities"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119644"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins plugin. Affected versions of the Jenkins Mercurial Plugin allow attackers who can configure pipelines to check out some SCM repositories stored on the Jenkins controller\u0027s file system. This is accomplished by using local paths as SCM URLs, obtaining limited information about other projects\u0027 SCM contents.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Mercurial SCM plugin can check out from the controller file system",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30948"
},
{
"category": "external",
"summary": "RHBZ#2119644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119644"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30948",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30948"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30948",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30948"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "plugin: Mercurial SCM plugin can check out from the controller file system"
},
{
"cve": "CVE-2022-30952",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119645"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30952"
},
{
"category": "external",
"summary": "RHBZ#2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30952",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30952"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30953",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119646"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30953"
},
{
"category": "external",
"summary": "RHBZ#2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30953"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30954",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119647"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: missing permission checks in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30954"
},
{
"category": "external",
"summary": "RHBZ#2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30954"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: missing permission checks in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-34174",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119653"
}
],
"notes": [
{
"category": "description",
"text": "In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Observable timing discrepancy allows determining username validity",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-34174"
},
{
"category": "external",
"summary": "RHBZ#2119653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119653"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-34174",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34174"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34174",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34174"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566"
}
],
"release_date": "2022-06-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins: Observable timing discrepancy allows determining username validity"
},
{
"cve": "CVE-2022-34176",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-07-04T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2103548"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JUnit Jenkins plugin. The manipulation with an unknown input leads to a Cross-site scripting vulnerability, impacting the integrity. This flaw allows an attacker to inject arbitrary HTML and script code into the website.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-34176"
},
{
"category": "external",
"summary": "RHBZ#2103548",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103548"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-34176",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34176"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34176",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34176"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2760",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2760"
}
],
"release_date": "2022-06-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2022-34177",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-07-04T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2103551"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Pipeline Input Step Plugin. This issue affects the code of the component Archive File Handler. The manipulation of the argument file with a malicious input leads to a directory traversal vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-34177"
},
{
"category": "external",
"summary": "RHBZ#2103551",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103551"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-34177",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34177"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34177",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34177"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705"
}
],
"release_date": "2022-06-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step Plugin"
},
{
"cve": "CVE-2022-36881",
"cwe": {
"id": "CWE-322",
"name": "Key Exchange without Entity Authentication"
},
"discovery_date": "2022-08-03T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2114755"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Git-Client Jenkins plugin. The affected versions of the Jenkins Git client Plugin do not perform SSH host key verification when connecting to Git repositories via SSH, enabling Man-in-the-middle attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36881"
},
{
"category": "external",
"summary": "RHBZ#2114755",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2114755"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36881"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-cm7j-p8hc-97vj",
"url": "https://github.com/advisories/GHSA-cm7j-p8hc-97vj"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1468",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1468"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client"
},
{
"cve": "CVE-2022-36882",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116840"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36882"
},
{
"category": "external",
"summary": "RHBZ#2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36882",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36882"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git"
},
{
"cve": "CVE-2022-36883",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119656"
}
],
"notes": [
{
"category": "description",
"text": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36883"
},
{
"category": "external",
"summary": "RHBZ#2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36884",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119657"
}
],
"notes": [
{
"category": "description",
"text": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36884"
},
{
"category": "external",
"summary": "RHBZ#2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36884",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36884"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36885",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119658"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Non-constant time webhook signature comparison in GitHub Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-0:2.361.1.1672840472-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36885"
},
{
"category": "external",
"summary": "RHBZ#2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36885",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36885"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-12T16:49:54+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html",
"product_ids": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.noarch",
"8Base-RHOSE-4.8:jenkins-2-plugins-0:4.8.1672842762-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Non-constant time webhook signature comparison in GitHub Plugin"
}
]
}
WID-SEC-W-2023-0090
Vulnerability from csaf_certbund - Published: 2022-05-17 22:00 - Updated: 2023-06-15 22:00Summary
Jenkins: Mehrere Schwachstellen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterstützung bei Softwareentwicklungen aller Art.
Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren.
Betroffene Betriebssysteme: - UNIX
- Linux
- Windows
- Sonstiges
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion.
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift container platform 4.0.51
Red Hat
|
cpe:/a:redhat:openshift:container_platform_4.0.51
|
— | |
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
Jenkins Jenkins
Jenkins
|
cpe:/a:cloudbees:jenkins:-
|
— |
References
10 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterst\u00fctzung bei Softwareentwicklungen aller Art.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0090 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0090.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0090 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0090"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3622 vom 2023-06-15",
"url": "https://access.redhat.com/errata/RHSA-2023:3622"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3610 vom 2023-06-15",
"url": "https://access.redhat.com/errata/RHSA-2023:3610"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3198 vom 2023-05-18",
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1064 vom 2023-03-06",
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
},
{
"category": "external",
"summary": "Jenkins Security Advisory vom 2022-05-17",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0017 vom 2023-01-12",
"url": "https://access.redhat.com/errata/RHSA-2023:0017"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0560 vom 2023-02-08",
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0777 vom 2023-02-23",
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"source_lang": "en-US",
"title": "Jenkins: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-06-15T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:41:24.160+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-0090",
"initial_release_date": "2022-05-17T22:00:00.000+00:00",
"revision_history": [
{
"date": "2022-05-17T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-01-12T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-02-08T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-02-22T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-03-06T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-05-18T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-06-14T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-06-15T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "8"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Jenkins Jenkins",
"product": {
"name": "Jenkins Jenkins",
"product_id": "T002196",
"product_identification_helper": {
"cpe": "cpe:/a:cloudbees:jenkins:-"
}
}
}
],
"category": "vendor",
"name": "Jenkins"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift container platform 4.0.51",
"product": {
"name": "Red Hat OpenShift container platform 4.0.51",
"product_id": "T026183",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform_4.0.51"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-2601",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2017-2601"
},
{
"cve": "CVE-2022-30945",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30945"
},
{
"cve": "CVE-2022-30946",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30946"
},
{
"cve": "CVE-2022-30947",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30947"
},
{
"cve": "CVE-2022-30948",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30948"
},
{
"cve": "CVE-2022-30949",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30949"
},
{
"cve": "CVE-2022-30950",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30950"
},
{
"cve": "CVE-2022-30951",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30951"
},
{
"cve": "CVE-2022-30952",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30952"
},
{
"cve": "CVE-2022-30953",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30953"
},
{
"cve": "CVE-2022-30954",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30954"
},
{
"cve": "CVE-2022-30955",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30955"
},
{
"cve": "CVE-2022-30956",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30956"
},
{
"cve": "CVE-2022-30957",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30957"
},
{
"cve": "CVE-2022-30958",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30958"
},
{
"cve": "CVE-2022-30959",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30959"
},
{
"cve": "CVE-2022-30960",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30960"
},
{
"cve": "CVE-2022-30961",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30961"
},
{
"cve": "CVE-2022-30962",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30962"
},
{
"cve": "CVE-2022-30963",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30963"
},
{
"cve": "CVE-2022-30964",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30964"
},
{
"cve": "CVE-2022-30965",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30965"
},
{
"cve": "CVE-2022-30966",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30966"
},
{
"cve": "CVE-2022-30967",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30967"
},
{
"cve": "CVE-2022-30968",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30968"
},
{
"cve": "CVE-2022-30969",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30969"
},
{
"cve": "CVE-2022-30970",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30970"
},
{
"cve": "CVE-2022-30971",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30971"
},
{
"cve": "CVE-2022-30972",
"notes": [
{
"category": "description",
"text": "In Jenkins existieren mehrere Schwachstellen. Die Fehler sind in den folgenden Plugins vorhanden: Application Detector Plugin, Autocomplete Parameter Plugin, Blue Ocean Plugin, Git Plugin, GitLab Plugin, Global Variable String Parameter Plugin, JDK Parameter Plugin, Mercurial Plugin, Multiselect parameter Plugin, Pipeline SCM API for Blue Ocean Plugin, Pipeline: Groovy Plugin, Promoted Builds (Simple) Plugin, Random String Parameter Plugin, REPO Plugin, Rundeck Plugin, Script Security Plugin, Selection tasks Plugin, SSH Plugin, Storable Configs Plugin, vboxwrapper Plugin und das WMI Windows Agents Plugin. Ein entfernter anonymer oder authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, vertrauliche Informationen offenzulegen und Daten zu manipulieren. Die erfolgreiche Ausnutzung einiger dieser Schwachstellen erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T026183",
"67646",
"T002196"
]
},
"release_date": "2022-05-17T22:00:00.000+00:00",
"title": "CVE-2022-30972"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…