9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.0%
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)
jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)
jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)
jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)
jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin (CVE-2022-29047)
jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
jackson-databind: use of deeply nested arrays (CVE-2022-42004)
jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)
jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin (CVE-2022-43410)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 8 | noarch | jenkins | < 2.361.4.1675702346-3.el8 | jenkins-2.361.4.1675702346-3.el8.noarch.rpm |
RedHat | 8 | noarch | jenkins-2-plugins | < 4.12.1675702407-1.el8 | jenkins-2-plugins-4.12.1675702407-1.el8.noarch.rpm |
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.0%