(RHSA-2024:3635) Important: Red Hat Product OCP Tools 4.12 Openshift Jenkins security update

Jenkins is a continuous integration server that monitors the execution of recurring jobs, such as software builds or cron jobs.

Security fixes:

• jenkins-2-plugins: Git-server plugin has an arbitrary file read vulnerability (CVE-2024-23899)

• jenkins-plugin/script-security: Sandbox bypass occurs via crafted constructor bodies (CVE-2024-34144)

• jenkins-plugin/script-security: Sandbox bypass occurs via sandbox-defined classes (CVE-2024-34145)

• jenkins-2-plugins: HTML Publisher plugin has improper input sanitization (CVE-2024-28149)

• Jetty: Stops accepting new connections from valid clients (CVE-2024-22201)

• SSH: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

• golang-protobuf: Unmarshaling certain forms of invalid JSON in the protojson.Unmarshal function causes an infinite loop in the encoding/protojson and internal/encoding/json packages of Golang-protobuf (CVE-2024-24786)

• jenkins-2-plugins: Matrix-project plugin has a path traversal vulnerability (CVE-2024-23900)

For more details about these security issues, including their impact, CVSS scores, acknowledgments, and other related information, refer to the CVE page listed in the References section.