Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2023:3610
HistoryJun 15, 2023 - 12:10 a.m.

(RHSA-2023:3610) Important: jenkins and jenkins-2-plugins security update

2023-06-1500:10:54
access.redhat.com
13

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.023 Low

EPSS

Percentile

89.5%

JSON

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

  • maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

  • json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)

  • springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

  • jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

  • jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)

  • jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)

  • Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  • Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  • jettison: parser crash by stackoverflow (CVE-2022-40149)

  • net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

  • jettison: If the value in map is the map’s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)

  • springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

  • jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)

  • jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Related

redhat 8
osv 34
openvas 11
ubuntu 1
debian 4
ibm 23
nessus 26
spring 1
redhatcve 12
amazon 2
veracode 11
cve 12
alpinelinux 2
prion 12
github 13
ubuntucve 6
debiancve 5
atlassian 6
f5 2
broadcom 1
githubexploit 1
oraclelinux 1
cnvd 1
almalinux 2
rocky 1
fedora 1
redhat
redhat
(RHSA-2023:3622) Important: jenkins and jenkins-2-plugins security update
2023-06-15 08:57:39
(RHSA-2023:3771) Important: Red Hat Virtualization security and bug fix update
2023-06-21 19:50:23
(RHSA-2023:3625) Important: OpenShift Container Platform 4.10.62 security update
2023-06-23 17:32:40
osv
osv
libjettison-java vulnerabilities
2023-06-19 11:39:43
libjettison-java - security update
2023-01-10 00:00:00
libjettison-java - security update
2022-12-31 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-5312-1)
2023-01-12 00:00:00
Ubuntu: Security Advisory (USN-6177-1)
2023-06-20 00:00:00
VMware Spring Framework 5.3.x < 5.3.26, 6.0.x < 6.0.7 Security Bypass Vulnerability - Windows
2023-03-21 00:00:00
ubuntu
ubuntu
Jettison vulnerabilities
2023-06-19 00:00:00
debian
debian
[SECURITY] [DSA 5312-1] libjettison-java security update
2023-01-10 23:10:35
[SECURITY] [DLA 3259-1] libjettison-java security update
2022-12-31 17:25:15
[SECURITY] [DLA 3184-1] libjettison-java security update
2022-11-10 11:04:03
ibm
ibm
Security Bulletin: IBM Operational Decision Manager April 2023 - Multiple CVEs
2023-05-22 09:01:51
Security Bulletin: Vulnerability in Jettison affects IBM Process Mining . Multiple CVEs
2024-01-05 16:45:03
Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Framework security bypass and denial of service vulnerabilities [CVE-2023-20860, CVE-2023-20861]
2023-07-06 18:07:00
nessus
nessus
Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS : Jettison vulnerabilities (USN-6177-1)
2023-06-19 00:00:00
Debian DSA-5312-1 : libjettison-java - security update
2023-01-11 00:00:00
RHEL 8 : Red Hat Virtualization (RHSA-2023:3771)
2023-06-22 00:00:00
spring
spring
This Week in Spring - March 21st, 2023
2023-03-21 00:00:00
redhatcve
redhatcve
CVE-2023-20861
2023-03-24 13:07:29
CVE-2023-20860
2023-03-24 13:07:33
CVE-2023-32977
2023-05-17 04:58:01
amazon
amazon
Important: jettison
2023-06-07 23:52:00
Medium: jettison
2023-11-29 22:20:00
veracode
veracode
Cross-site Scripting (XSS)
2023-05-28 14:43:44
Security Bypass
2023-03-30 02:11:25
Arbitrary File Write
2023-05-30 12:42:15
cve
cve
CVE-2023-32977
2023-05-16 16:15:10
CVE-2023-32981
2023-05-16 16:15:10
CVE-2023-20861
2023-03-23 21:15:19
alpinelinux
alpinelinux
CVE-2023-32977
2023-05-16 16:15:10
CVE-2023-24422
2023-01-26 21:18:16
prion
prion
Cross site scripting
2023-05-16 16:15:00
Arbitrary file deletion
2023-05-16 16:15:00
Security feature bypass
2023-01-26 21:18:00
github
github
Jenkins Pipeline: Job Plugin vulnerable to stored Cross-site Scripting
2023-05-16 18:30:16
Jenkins Pipeline Utility Steps Plugin arbitrary file write vulnerability
2023-05-16 18:30:16
Sandbox bypass in Jenkins Script Security Plugin
2023-01-26 21:30:19
ubuntucve
ubuntucve
CVE-2023-20861
2023-03-23 00:00:00
CVE-2023-20860
2023-03-27 00:00:00
CVE-2022-45693
2022-12-13 00:00:00
debiancve
debiancve
CVE-2023-20860
2023-03-27 22:15:21
CVE-2022-40150
2022-09-16 10:15:00
CVE-2022-40149
2022-09-16 10:15:00
atlassian
atlassian
DoS (Denial of Service) org.codehaus.jettison:jettison Dependency in Jira Software Data Center and Server
2024-02-14 10:47:01
DoS (Denial of Service) org.codehaus.jettison:jettison Dependency in Jira Software Data Center and Server
2024-02-14 10:46:54
Upgrade spring-core for CVE-2023-20860
2023-05-17 06:46:56
f5
f5
K000134681 : Spring Framework vulnerability CVE-2023-20861
2023-05-19 00:00:00
K000134500 : Spring Framework vulnerability CVE-2023-20860
2023-05-08 00:00:00
broadcom
broadcom
Spring Expression DoS Vulnerability (CVE-2023-20861)
2024-04-16 00:00:00
githubexploit
githubexploit
Exploit for Vulnerability in Vmware Spring Framework
2023-03-24 07:23:52
oraclelinux
oraclelinux
maven-shared-utils security update
2022-04-29 00:00:00
cnvd
cnvd
Apache Maven Command Injection Vulnerability
2022-04-28 00:00:00
almalinux
almalinux
Important: maven:3.5 security update
2022-05-30 11:39:15
Important: maven:3.6 security update
2022-05-30 11:39:17
rocky
rocky
maven:3.5 security update
2022-05-30 11:39:15
fedora
fedora
[SECURITY] Fedora 34 Update: maven-shared-utils-3.2.1-0.9.fc34
2022-05-08 02:04:08

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.023 Low

EPSS

Percentile

89.5%

JSON
Related for RHSA-2023:3610
redhat8osv34openvas11ubuntu1debian4ibm23nessus26spring1redhatcve12amazon2veracode11cve12alpinelinux2prion12github13ubuntucve6debiancve5atlassian6f52broadcom1githubexploit1oraclelinux1cnvd1almalinux2rocky1fedora1