Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2024:0776
HistoryFeb 12, 2024 - 10:18 a.m.

(RHSA-2024:0776) Important: jenkins and jenkins-2-plugins security update

2024-02-1210:18:15
access.redhat.com
17
continuous integration server
security fix
rce
denial of service
command injection
session fixation
arbitrary file read
cross-site websocket hijacking
stored xss
cve-2022
cve-2021
cve-2023
cve-2024
apache commons text
maven
snakeyaml
jenkins-2-plugins
script security plugin
openshift login plugin
junit plugin
pipeline build step plugin
unix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.972 High

EPSS

Percentile

99.8%

JSON

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

  • apache-commons-text: variable interpolation RCE (CVE-2022-42889)

  • maven: Block repositories using http by default (CVE-2021-26291)

  • snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

  • maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

  • jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

  • Jenkins: Session fixation vulnerability in OpenShift Login Plugin (CVE-2023-37946)

  • jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE (CVE-2024-23897)

  • jenkins: cross-site WebSocket hijacking (CVE-2024-23898)

  • jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

  • jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Related

redhat 19
nessus 33
freebsd 1
prion 8
osv 25
alpinelinux 5
github 8
cve 9
veracode 6
redhatcve 8
hivepro 1
githubexploit 22
metasploit 1
zdt 1
packetstorm 2
cgr 1
trendmicroblog 1
wolfi 1
cbl_mariner 2
ubuntu 3
openvas 8
exploitdb 1
ubuntucve 3
debiancve 2
mageia 1
oraclelinux 4
rocky 3
ibm 9
f5 2
almalinux 3
cnvd 1
debian 3
fedora 1
amazon 1
redhat
redhat
(RHSA-2024:0775) Important: jenkins and jenkins-2-plugins security update
2024-02-12 10:17:47
(RHSA-2023:7288) Important: Red Hat Product OCP Tools 4.14 Openshift Jenkins security update
2023-11-15 19:19:21
(RHSA-2023:6179) Critical: Red Hat Product OCP Tools 4.13 OpenShift Jenkins security update
2023-10-30 12:31:19
nessus
nessus
RHEL 8 : Red Hat Product OCP Tools 4.14 Openshift Jenkins (RHSA-2023:7288)
2024-04-23 00:00:00
Jenkins LTS < 2.426.3 / Jenkins weekly < 2.442 Multiple Vulnerabilities
2024-01-24 00:00:00
FreeBSD : jenkins -- multiple vulnerabilities (8b03d274-56ca-489e-821a-cf32f07643f0)
2024-01-25 00:00:00
freebsd
freebsd
jenkins -- multiple vulnerabilities
2024-01-24 00:00:00
prion
prion
Cross site scripting
2024-01-24 18:15:00
Code injection
2023-07-12 16:15:00
Design/Logic Flaw
2024-01-24 18:15:00
osv
osv
CVE-2024-23898
2024-01-24 18:15:09
Jenkins OpenShift Login Plugin session fixation vulnerability
2023-07-12 18:30:38
Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
2024-01-24 18:31:02
alpinelinux
alpinelinux
CVE-2024-23898
2024-01-24 18:15:09
CVE-2024-23897
2024-01-24 18:15:09
CVE-2023-25761
2023-02-15 14:15:13
github
github
Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
2024-01-24 18:31:02
Arbitrary file read vulnerability through the Jenkins CLI can lead to RCE
2024-01-24 18:31:02
Jenkins OpenShift Login Plugin session fixation vulnerability
2023-07-12 18:30:38
cve
cve
CVE-2024-23898
2024-01-24 18:15:09
CVE-2023-37946
2023-07-12 16:15:13
CVE-2024-23897
2024-01-24 18:15:09
veracode
veracode
Cross-Site WebSocket Hijacking (CSWSH)
2024-01-31 07:28:49
Arbitrary File Read
2024-01-31 06:55:39
Insecure TLS Configuration
2021-07-22 04:32:45
redhatcve
redhatcve
CVE-2024-23898
2024-01-25 20:22:19
CVE-2023-37946
2023-07-17 17:11:51
CVE-2024-23897
2024-01-25 20:21:50
hivepro
hivepro
Critical Remote Code Execution Flaws Uncovered in Jenkins
2024-02-01 06:56:33
githubexploit
githubexploit
Exploit for Vulnerability in Jenkins
2024-02-26 03:07:28
Exploit for Vulnerability in Jenkins
2024-02-19 02:29:12
Exploit for Vulnerability in Jenkins
2024-01-29 04:41:53
metasploit
metasploit
Jenkins cli Ampersand Replacement Arbitrary File Read
2024-01-30 22:12:10
zdt
zdt
Jenkins 2.441 / LTS 2.426.3 Arbitrary File Read Exploit
2024-01-29 00:00:00
packetstorm
packetstorm
Jenkins 2.441 / LTS 2.426.3 Arbitrary File Read
2024-01-29 00:00:00
Jenkins 2.441 Local File Inclusion
2024-04-15 00:00:00
cgr
cgr
CVE-2024-23897 vulnerabilities
2024-04-27 03:20:18
trendmicroblog
trendmicroblog
Jenkins Args4j CVE-2024-23897: Files Exposed, Code at Risk
2024-03-19 00:00:00
wolfi
wolfi
CVE-2024-23897 vulnerabilities
2024-04-27 03:16:47
cbl_mariner
cbl_mariner
CVE-2023-25761 affecting package junit 4.13-5
2024-04-26 21:08:25
CVE-2021-26291 affecting package maven 3.5.4-13
2021-05-10 04:20:34
ubuntu
ubuntu
Apache Maven vulnerability
2023-01-16 00:00:00
Apache Maven vulnerability
2022-08-18 00:00:00
Apache Maven Shared Utils vulnerability
2024-04-11 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2023-0230)
2023-07-20 00:00:00
Ubuntu: Security Advisory (USN-5805-1)
2023-01-17 00:00:00
Ubuntu: Security Advisory (USN-5245-1)
2023-01-27 00:00:00
exploitdb
exploitdb
Jenkins 2.441 - Local File Inclusion
2024-04-15 00:00:00
ubuntucve
ubuntucve
CVE-2021-26291
2021-04-23 00:00:00
CVE-2022-29599
2022-05-23 00:00:00
CVE-2022-25857
2022-08-30 00:00:00
debiancve
debiancve
CVE-2021-26291
2021-04-23 15:15:00
CVE-2022-29599
2022-05-23 11:16:00
mageia
mageia
Updated maven packages fix security vulnerability
2023-07-19 22:53:31
oraclelinux
oraclelinux
maven-shared-utils security update
2022-04-29 00:00:00
prometheus-jmx-exporter security update
2022-10-06 00:00:00
maven:3.5 security update
2022-06-01 00:00:00
rocky
rocky
prometheus-jmx-exporter security update
2022-10-06 07:13:19
maven:3.5 security update
2022-05-30 11:39:15
maven:3.6 security update
2022-05-30 11:39:17
ibm
ibm
Security Bulletin: IBM MQ Blockchain bridge is vulnerable to an issue identified in snakeyaml (CVE-2022-25857)
2023-02-03 19:33:13
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer operands that process yaml files may be vulnerable to denial of service due to CVE-2022-25857
2022-11-04 16:41:10
Security Bulletin: Vulnerability in Apache Commons Text affects IBM Process Mining . CVE-2022-42889
2023-02-09 10:06:06
f5
f5
K97399672 : Apache Maven vulnerability CVE-2022-29599
2022-06-02 00:00:00
K24823443 : Apache Commons Text vulnerability CVE-2022-42889
2022-10-19 00:00:00
almalinux
almalinux
Moderate: prometheus-jmx-exporter security update
2022-10-06 00:00:00
Important: maven:3.5 security update
2022-05-30 11:39:15
Important: maven:3.6 security update
2022-05-30 11:39:17
cnvd
cnvd
Apache Maven Command Injection Vulnerability
2022-04-28 00:00:00
debian
debian
[SECURITY] [DLA 3059-1] maven-shared-utils security update
2022-06-29 10:49:00
[SECURITY] [DSA 5242-1] maven-shared-utils security update
2022-09-28 13:04:18
[SECURITY] [DLA 3086-1] maven-shared-utils security update
2022-08-29 12:49:12
fedora
fedora
[SECURITY] Fedora 34 Update: maven-shared-utils-3.2.1-0.9.fc34
2022-05-08 02:04:08
amazon
amazon
Critical: maven-shared-utils
2022-05-04 01:01:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.972 High

EPSS

Percentile

99.8%

JSON
Related for RHSA-2024:0776
redhat19nessus33freebsd1prion8osv25alpinelinux5github8cve9veracode6redhatcve8hivepro1githubexploit22metasploit1zdt1packetstorm2cgr1trendmicroblog1wolfi1cbl_mariner2ubuntu3openvas8exploitdb1ubuntucve3debiancve2mageia1oraclelinux4rocky3ibm9f52almalinux3cnvd1debian3fedora1amazon1