(RHSA-2023:3195) Important: jenkins and jenkins-2-plugins security update

2023-05-1716:15:17

access.redhat.com

jenkins

security update

rce

xss

cve

continuous integration

server

vulnerability

apache

common-text

script security plugin

junit plugin

pipeline-build-step

information disclosure

error stack traces

unix

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.972

Percentile

99.8%

JSON

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

apache-commons-text: variable interpolation RCE (CVE-2022-42889)
jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)
jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)
Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

OSVersionArchitecturePackageVersionFilename
RedHat8noarchjenkins-2-plugins< 4.12.1683009955-1.el8jenkins-2-plugins-4.12.1683009955-1.el8.noarch.rpm
RedHat8noarchjenkins< 2.387.1.1683009767-3.el8jenkins-2.387.1.1683009767-3.el8.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	8	noarch	jenkins-2-plugins	< 4.12.1683009955-1.el8	jenkins-2-plugins-4.12.1683009955-1.el8.noarch.rpm
RedHat	8	noarch	jenkins	< 2.387.1.1683009767-3.el8	jenkins-2.387.1.1683009767-3.el8.noarch.rpm