rhsa-2023_0560
Vulnerability from csaf_redhat
Published
2023-02-08 18:41
Modified
2024-12-16 16:06
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.10.51 security update
Notes
Topic
Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:
Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in
Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in
Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* google-oauth-client: missing PKCE support in accordance with the RFC for
OAuth 2.0 for Native Apps can lead to improper authorization
(CVE-2020-7692)
* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be
bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jenkins-plugin/script-security: Whole-script approval in Script Security
Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)
* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin
(CVE-2022-45380)
* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability
in Pipeline Utility Steps Plugin (CVE-2022-45381)
* Jenkins plugin: CSRF vulnerability in Script Security Plugin
(CVE-2022-30946)
* Jenkins plugin: User-scoped credentials exposed to other users by
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin
(CVE-2022-30954)
* jenkins-plugin: Cross-site Request Forgery (CSRF) in
org.jenkins-ci.plugins:git (CVE-2022-36882)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36883)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36884)
* jenkins plugin: Non-constant time webhook signature comparison in GitHub
Plugin (CVE-2022-36885)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be
bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:
Supporting APIs Plugin (CVE-2022-43409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins\nScript Security Plugin (CVE-2022-43401)\n* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:\nGroovy Plugin (CVE-2022-43402)\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins\nScript Security Plugin (CVE-2022-43403)\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins\nScript Security Plugin (CVE-2022-43404)\n* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in\nPipeline: Groovy Libraries Plugin (CVE-2022-43405)\n* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in\nPipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)\n* google-oauth-client: missing PKCE support in accordance with the RFC for\nOAuth 2.0 for Native Apps can lead to improper authorization\n(CVE-2020-7692)\n* snakeyaml: Denial of Service due to missing nested depth limitation for\ncollections (CVE-2022-25857)\n* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be\nbypassed in Pipeline: Input Step Plugin (CVE-2022-43407)\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jenkins-plugin/script-security: Whole-script approval in Script Security\nPlugin vulnerable to SHA-1 collisions (CVE-2022-45379)\n* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin\n(CVE-2022-45380)\n* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability\nin Pipeline Utility Steps Plugin (CVE-2022-45381)\n* Jenkins plugin: CSRF vulnerability in Script Security Plugin\n(CVE-2022-30946)\n* Jenkins plugin: User-scoped credentials exposed to other users by\nPipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin\n(CVE-2022-30954)\n* jenkins-plugin: Cross-site Request Forgery (CSRF) in\norg.jenkins-ci.plugins:git (CVE-2022-36882)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36883)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36884)\n* jenkins plugin: Non-constant time webhook signature comparison in GitHub\nPlugin (CVE-2022-36885)\n* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be\nbypassed in Pipeline: Stage View Plugin (CVE-2022-43408)\n* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:\nSupporting APIs Plugin (CVE-2022-43409)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0560", "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#critical", "url": "https://access.redhat.com/security/updates/classification/#critical" }, { "category": "external", "summary": "1856376", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376" }, { "category": "external", "summary": "2116840", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840" }, { "category": "external", "summary": "2119643", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643" }, { "category": "external", "summary": "2119645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645" }, { "category": "external", "summary": "2119646", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646" }, { "category": "external", "summary": "2119647", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647" }, { "category": "external", "summary": "2119656", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656" }, { "category": "external", "summary": "2119657", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657" }, { "category": "external", "summary": "2119658", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658" }, { "category": "external", "summary": "2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "2136370", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370" }, { "category": "external", "summary": "2136374", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374" }, { "category": "external", "summary": "2136379", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379" }, { "category": "external", "summary": "2136381", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381" }, { "category": "external", "summary": "2136382", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382" }, { "category": "external", "summary": "2136383", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383" }, { "category": "external", "summary": "2136386", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386" }, { "category": "external", "summary": "2136388", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388" }, { "category": "external", "summary": "2136391", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391" }, { "category": "external", "summary": "2143086", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086" }, { "category": "external", "summary": "2143089", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089" }, { "category": "external", "summary": "2143090", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0560.json" } ], "title": "Red Hat Security Advisory: OpenShift Container Platform 4.10.51 security update", "tracking": { "current_release_date": "2024-12-16T16:06:28+00:00", "generator": { "date": "2024-12-16T16:06:28+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2023:0560", "initial_release_date": "2023-02-08T18:41:32+00:00", "revision_history": [ { "date": "2023-02-08T18:41:32+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-02-08T18:41:32+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-16T16:06:28+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.10", "product": { "name": "Red Hat OpenShift Container Platform 4.10", "product_id": "7Server-RH7-RHOSE-4.10", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.10::el7" } } }, { "category": "product_name", "name": "Red Hat OpenShift Container Platform 4.10", "product": { "name": "Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4.10::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "product": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el7?arch=src" } } }, { "category": "product_version", "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "product": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=src" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src", "product": { "name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src", "product_id": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.10.1675144701-1.el8?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "product": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el7?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "product": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el7?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "product": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "product": { "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=x86_64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "product": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "product": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=aarch64" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "product": { "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=aarch64" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "product": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=aarch64" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "product": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "product": { "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=ppc64le" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "product": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "product": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=s390x" } } }, { "category": "product_version", "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "product": { "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=s390x" } } }, { "category": "product_version", "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "product": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=s390x" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "product": { "name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "product_id": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.10.1675144701-1.el8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src" }, "product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "relates_to_product_reference": "7Server-RH7-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64" }, "product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64" }, "product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "relates_to_product_reference": "7Server-RH7-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64" }, "product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le" }, "product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x" }, "product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src" }, "product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" }, "product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64" }, "product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le" }, "product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x" }, "product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" }, "product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64" }, "product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le" }, "product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x" }, "product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" }, "product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch" }, "product_reference": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "relates_to_product_reference": "8Base-RHOSE-4.10" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src as a component of Red Hat OpenShift Container Platform 4.10", "product_id": "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" }, "product_reference": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src", "relates_to_product_reference": "8Base-RHOSE-4.10" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-7692", "cwe": { "id": "CWE-358", "name": "Improperly Implemented Security Check for Standard" }, "discovery_date": "2020-07-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1856376" } ], "notes": [ { "category": "description", "text": "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.", "title": "Vulnerability description" }, { "category": "summary", "text": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-7692" }, { "category": "external", "summary": "RHBZ#1856376", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7692", "url": "https://www.cve.org/CVERecord?id=CVE-2020-7692" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692" } ], "release_date": "2020-07-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization" }, { "cve": "CVE-2022-25857", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-09-14T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2126789" } ], "notes": [ { "category": "description", "text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections", "title": "Vulnerability summary" }, { "category": "other", "text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-25857" }, { "category": "external", "summary": "RHBZ#2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857" }, { "category": "external", "summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525" } ], "release_date": "2022-08-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections" }, { "cve": "CVE-2022-30946", "cwe": { "id": "CWE-352", "name": "Cross-Site Request Forgery (CSRF)" }, "discovery_date": "2022-08-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2119643" } ], "notes": [ { "category": "description", "text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.", "title": "Vulnerability description" }, { "category": "summary", "text": "plugin: CSRF vulnerability in Script Security Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-30946" }, { "category": "external", "summary": "RHBZ#2119643", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30946", "url": "https://www.cve.org/CVERecord?id=CVE-2022-30946" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116", "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116" } ], "release_date": "2022-05-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "plugin: CSRF vulnerability in Script Security Plugin" }, { "cve": "CVE-2022-30952", "cwe": { "id": "CWE-668", "name": "Exposure of Resource to Wrong Sphere" }, "discovery_date": "2022-08-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2119645" } ], "notes": [ { "category": "description", "text": "Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.", "title": "Vulnerability description" }, { "category": "summary", "text": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-30952" }, { "category": "external", "summary": "RHBZ#2119645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30952", "url": "https://www.cve.org/CVERecord?id=CVE-2022-30952" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714", "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714" } ], "release_date": "2022-05-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin" }, { "cve": "CVE-2022-30953", "cwe": { "id": "CWE-352", "name": "Cross-Site Request Forgery (CSRF)" }, "discovery_date": "2022-08-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2119646" } ], "notes": [ { "category": "description", "text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.", "title": "Vulnerability description" }, { "category": "summary", "text": "plugin: CSRF vulnerability in Blue Ocean Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-30953" }, { "category": "external", "summary": "RHBZ#2119646", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953", "url": "https://www.cve.org/CVERecord?id=CVE-2022-30953" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502" } ], "release_date": "2022-05-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "plugin: CSRF vulnerability in Blue Ocean Plugin" }, { "cve": "CVE-2022-30954", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "discovery_date": "2022-08-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2119647" } ], "notes": [ { "category": "description", "text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.", "title": "Vulnerability description" }, { "category": "summary", "text": "plugin: missing permission checks in Blue Ocean Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-30954" }, { "category": "external", "summary": "RHBZ#2119647", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954", "url": "https://www.cve.org/CVERecord?id=CVE-2022-30954" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502" } ], "release_date": "2022-05-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "plugin: missing permission checks in Blue Ocean Plugin" }, { "cve": "CVE-2022-36882", "cwe": { "id": "CWE-352", "name": "Cross-Site Request Forgery (CSRF)" }, "discovery_date": "2022-08-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2116840" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-36882" }, { "category": "external", "summary": "RHBZ#2116840", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-36882", "url": "https://www.cve.org/CVERecord?id=CVE-2022-36882" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284", "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284" } ], "release_date": "2022-08-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git" }, { "cve": "CVE-2022-36883", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "discovery_date": "2022-08-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2119656" } ], "notes": [ { "category": "description", "text": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.", "title": "Vulnerability description" }, { "category": "summary", "text": "plugin: Lack of authentication mechanism in Git Plugin webhook", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-36883" }, { "category": "external", "summary": "RHBZ#2119656", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-36883", "url": "https://www.cve.org/CVERecord?id=CVE-2022-36883" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284", "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284" } ], "release_date": "2022-07-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "plugin: Lack of authentication mechanism in Git Plugin webhook" }, { "cve": "CVE-2022-36884", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2022-08-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2119657" } ], "notes": [ { "category": "description", "text": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.", "title": "Vulnerability description" }, { "category": "summary", "text": "plugin: Lack of authentication mechanism in Git Plugin webhook", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-36884" }, { "category": "external", "summary": "RHBZ#2119657", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-36884", "url": "https://www.cve.org/CVERecord?id=CVE-2022-36884" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284", "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284" } ], "release_date": "2022-07-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "plugin: Lack of authentication mechanism in Git Plugin webhook" }, { "cve": "CVE-2022-36885", "cwe": { "id": "CWE-208", "name": "Observable Timing Discrepancy" }, "discovery_date": "2022-08-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2119658" } ], "notes": [ { "category": "description", "text": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.", "title": "Vulnerability description" }, { "category": "summary", "text": "plugin: Non-constant time webhook signature comparison in GitHub Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-36885" }, { "category": "external", "summary": "RHBZ#2119658", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-36885", "url": "https://www.cve.org/CVERecord?id=CVE-2022-36885" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849", "url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849" } ], "release_date": "2022-07-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "plugin: Non-constant time webhook signature comparison in GitHub Plugin" }, { "cve": "CVE-2022-43401", "cwe": { "id": "CWE-693", "name": "Protection Mechanism Failure" }, "discovery_date": "2022-10-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136381" } ], "notes": [ { "category": "description", "text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-43401" }, { "category": "external", "summary": "RHBZ#2136381", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-43401", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43401" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)" } ], "release_date": "2022-10-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin" }, { "cve": "CVE-2022-43402", "cwe": { "id": "CWE-693", "name": "Protection Mechanism Failure" }, "discovery_date": "2022-10-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136379" } ], "notes": [ { "category": "description", "text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-43402" }, { "category": "external", "summary": "RHBZ#2136379", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-43402", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43402" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)" } ], "release_date": "2022-10-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin" }, { "cve": "CVE-2022-43403", "cwe": { "id": "CWE-693", "name": "Protection Mechanism Failure" }, "discovery_date": "2022-10-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136382" } ], "notes": [ { "category": "description", "text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-43403" }, { "category": "external", "summary": "RHBZ#2136382", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-43403", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43403" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)" } ], "release_date": "2022-10-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin" }, { "cve": "CVE-2022-43404", "cwe": { "id": "CWE-693", "name": "Protection Mechanism Failure" }, "discovery_date": "2022-10-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136383" } ], "notes": [ { "category": "description", "text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-43404" }, { "category": "external", "summary": "RHBZ#2136383", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-43404", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43404" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)" } ], "release_date": "2022-10-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin" }, { "cve": "CVE-2022-43405", "cwe": { "id": "CWE-693", "name": "Protection Mechanism Failure" }, "discovery_date": "2022-10-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136374" } ], "notes": [ { "category": "description", "text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-43405" }, { "category": "external", "summary": "RHBZ#2136374", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-43405", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43405" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)", "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)" } ], "release_date": "2022-10-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin" }, { "cve": "CVE-2022-43406", "cwe": { "id": "CWE-693", "name": "Protection Mechanism Failure" }, "discovery_date": "2022-10-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136370" } ], "notes": [ { "category": "description", "text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-43406" }, { "category": "external", "summary": "RHBZ#2136370", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-43406", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43406" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)", "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)" } ], "release_date": "2022-10-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin" }, { "cve": "CVE-2022-43407", "cwe": { "id": "CWE-838", "name": "Inappropriate Encoding for Output Context" }, "discovery_date": "2022-10-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136386" } ], "notes": [ { "category": "description", "text": "A cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an unauthenticated attacker to access Jenkins builds, bypassing CSRF protections. This could compromise the integrity, availability, and confidentiality of Jenkins.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-43407" }, { "category": "external", "summary": "RHBZ#2136386", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-43407", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43407" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880", "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880" } ], "release_date": "2022-10-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin" }, { "cve": "CVE-2022-43408", "cwe": { "id": "CWE-838", "name": "Inappropriate Encoding for Output Context" }, "discovery_date": "2022-10-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136388" } ], "notes": [ { "category": "description", "text": "A Cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated attacker to access Jenkins builds, bypassing CSRF protections.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-43408" }, { "category": "external", "summary": "RHBZ#2136388", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-43408", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43408" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828", "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828" } ], "release_date": "2022-10-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin" }, { "cve": "CVE-2022-43409", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2022-10-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2136391" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-43409" }, { "category": "external", "summary": "RHBZ#2136391", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-43409", "url": "https://www.cve.org/CVERecord?id=CVE-2022-43409" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881", "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881" } ], "release_date": "2022-10-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45379", "cwe": { "id": "CWE-328", "name": "Use of Weak Hash" }, "discovery_date": "2022-11-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2143090" } ], "notes": [ { "category": "description", "text": "A flaw was found in the script-security Jenkins Plugin. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. The affected version of the script-security Plugin stores whole-script approvals as the SHA-1 hash of the approved script.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45379" }, { "category": "external", "summary": "RHBZ#2143090", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45379", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45379" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564", "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564" } ], "release_date": "2022-11-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions" }, { "cve": "CVE-2022-45380", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2022-11-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2143086" } ], "notes": [ { "category": "description", "text": "A flaw was found in the JUnit Jenkins Plugin. The affected version of the JUnit plugin converts HTTP(S) URLs in test report output to clickable links, which leads to a stored Cross-site scripting (XSS) attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45380" }, { "category": "external", "summary": "RHBZ#2143086", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45380", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45380" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888", "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888" } ], "release_date": "2022-11-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin" }, { "cve": "CVE-2022-45381", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-11-16T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2143089" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Pipeline Utility Steps Jenkins Plugin. The affected version of the Pipeline Utility Steps Plugin does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the file: prefix interpolator by default. This flaw allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence the OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "known_not_affected": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45381" }, { "category": "external", "summary": "RHBZ#2143089", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45381", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45381" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949", "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949" } ], "release_date": "2022-11-15T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-08T18:41:32+00:00", "details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0560" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.