(RHSA-2023:0560) Critical: OpenShift Container Platform 4.10.51 security update

Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

Security Fix(es):

• jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
  Script Security Plugin (CVE-2022-43401)
• jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:
  Groovy Plugin (CVE-2022-43402)
• jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
  Script Security Plugin (CVE-2022-43403)
• jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
  Script Security Plugin (CVE-2022-43404)
• jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in
  Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
• jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in
  Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
• google-oauth-client: missing PKCE support in accordance with the RFC for
  OAuth 2.0 for Native Apps can lead to improper authorization
  (CVE-2020-7692)
• snakeyaml: Denial of Service due to missing nested depth limitation for
  collections (CVE-2022-25857)
• jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be
  bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
• mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
• jenkins-plugin/script-security: Whole-script approval in Script Security
  Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)
• jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin
  (CVE-2022-45380)
• jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability
  in Pipeline Utility Steps Plugin (CVE-2022-45381)
• Jenkins plugin: CSRF vulnerability in Script Security Plugin
  (CVE-2022-30946)
• Jenkins plugin: User-scoped credentials exposed to other users by
  Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
• Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
• Jenkins plugin: missing permission checks in Blue Ocean Plugin
  (CVE-2022-30954)
• jenkins-plugin: Cross-site Request Forgery (CSRF) in
  org.jenkins-ci.plugins:git (CVE-2022-36882)
• jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
  (CVE-2022-36883)
• jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
  (CVE-2022-36884)
• jenkins plugin: Non-constant time webhook signature comparison in GitHub
  Plugin (CVE-2022-36885)
• jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be
  bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
• jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:
  Supporting APIs Plugin (CVE-2022-43409)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.