CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.8%
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
apache-commons-text: variable interpolation RCE (CVE-2022-42889)
google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)
maven: Block repositories using http by default (CVE-2021-26291)
snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE (CVE-2024-23897)
jenkins: cross-site WebSocket hijacking (CVE-2024-23898)
golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
guava: insecure temporary directory creation (CVE-2023-2976)
springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout (CVE-2023-20862)
jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)
jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)
jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)
jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)
Jenkins: Open redirect vulnerability in OpenShift Login Plugin (CVE-2023-37947)
jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin (CVE-2023-40337)
jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin (CVE-2023-40338)
jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin (CVE-2023-40339)
jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials (CVE-2023-40341)
Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 8 | noarch | jenkins-2-plugins | < 4.12.1706515741-1.el8 | jenkins-2-plugins-4.12.1706515741-1.el8.noarch.rpm |
RedHat | 8 | noarch | jenkins | < 2.426.3.1706515686-3.el8 | jenkins-2.426.3.1706515686-3.el8.noarch.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.8%