rhsa-2023_3622
Vulnerability from csaf_redhat
Published
2023-06-15 09:03
Modified
2024-11-15 13:35
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update

Notes

Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * maven-shared-utils: Command injection via Commandline class (CVE-2022-29599) * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370) * springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860) * Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953) * Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954) * jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436) * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861) * Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:3622",
        "url": "https://access.redhat.com/errata/RHSA-2023:3622"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
        "url": "https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html"
      },
      {
        "category": "external",
        "summary": "2066479",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479"
      },
      {
        "category": "external",
        "summary": "2119646",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
      },
      {
        "category": "external",
        "summary": "2119647",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
      },
      {
        "category": "external",
        "summary": "2177632",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177632"
      },
      {
        "category": "external",
        "summary": "2177634",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
      },
      {
        "category": "external",
        "summary": "2180528",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
      },
      {
        "category": "external",
        "summary": "2180530",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180530"
      },
      {
        "category": "external",
        "summary": "2182788",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788"
      },
      {
        "category": "external",
        "summary": "2188542",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3622.json"
      }
    ],
    "title": "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update",
    "tracking": {
      "current_release_date": "2024-11-15T13:35:07+00:00",
      "generator": {
        "date": "2024-11-15T13:35:07+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2023:3622",
      "initial_release_date": "2023-06-15T09:03:50+00:00",
      "revision_history": [
        {
          "date": "2023-06-15T09:03:50+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-06-15T09:03:50+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T13:35:07+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Developer Tools and Services for OCP 4.13",
                "product": {
                  "name": "OpenShift Developer Tools and Services for OCP 4.13",
                  "product_id": "8Base-OCP-Tools-4.13",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Jenkins"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.401.1.1686680404-3.el8.src",
                "product": {
                  "name": "jenkins-0:2.401.1.1686680404-3.el8.src",
                  "product_id": "jenkins-0:2.401.1.1686680404-3.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.401.1.1686680404-3.el8?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.13.1686680473-1.el8.src",
                "product": {
                  "name": "jenkins-2-plugins-0:4.13.1686680473-1.el8.src",
                  "product_id": "jenkins-2-plugins-0:4.13.1686680473-1.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.13.1686680473-1.el8?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jenkins-0:2.401.1.1686680404-3.el8.noarch",
                "product": {
                  "name": "jenkins-0:2.401.1.1686680404-3.el8.noarch",
                  "product_id": "jenkins-0:2.401.1.1686680404-3.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins@2.401.1.1686680404-3.el8?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
                "product": {
                  "name": "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
                  "product_id": "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.13.1686680473-1.el8?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.401.1.1686680404-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13",
          "product_id": "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch"
        },
        "product_reference": "jenkins-0:2.401.1.1686680404-3.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-0:2.401.1.1686680404-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13",
          "product_id": "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        },
        "product_reference": "jenkins-0:2.401.1.1686680404-3.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13",
          "product_id": "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch"
        },
        "product_reference": "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
        "relates_to_product_reference": "8Base-OCP-Tools-4.13"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jenkins-2-plugins-0:4.13.1686680473-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13",
          "product_id": "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        },
        "product_reference": "jenkins-2-plugins-0:4.13.1686680473-1.el8.src",
        "relates_to_product_reference": "8Base-OCP-Tools-4.13"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-29599",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "discovery_date": "2022-03-15T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2066479"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "maven-shared-utils: Command injection via Commandline class",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It\u0027s worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        ],
        "known_not_affected": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-29599"
        },
        {
          "category": "external",
          "summary": "RHBZ#2066479",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-29599",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-29599"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599"
        }
      ],
      "release_date": "2020-05-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-15T09:03:50+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3622"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "maven-shared-utils: Command injection via Commandline class"
    },
    {
      "cve": "CVE-2022-30953",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "discovery_date": "2022-08-19T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2119646"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "plugin: CSRF vulnerability in Blue Ocean Plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        ],
        "known_not_affected": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30953"
        },
        {
          "category": "external",
          "summary": "RHBZ#2119646",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30953"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953"
        },
        {
          "category": "external",
          "summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
          "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
        }
      ],
      "release_date": "2022-05-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-15T09:03:50+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3622"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "plugin: CSRF vulnerability in Blue Ocean Plugin"
    },
    {
      "cve": "CVE-2022-30954",
      "cwe": {
        "id": "CWE-862",
        "name": "Missing Authorization"
      },
      "discovery_date": "2022-08-19T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2119647"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "plugin: missing permission checks in Blue Ocean Plugin",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        ],
        "known_not_affected": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30954"
        },
        {
          "category": "external",
          "summary": "RHBZ#2119647",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30954"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954"
        },
        {
          "category": "external",
          "summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
          "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
        }
      ],
      "release_date": "2022-05-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-15T09:03:50+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3622"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "plugin: missing permission checks in Blue Ocean Plugin"
    },
    {
      "cve": "CVE-2023-1370",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2023-04-21T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2188542"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the json-smart package. This security flaw occurs when reaching a \u2018[\u2018 or \u2018{\u2018 character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        ],
        "known_not_affected": [
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-1370"
        },
        {
          "category": "external",
          "summary": "RHBZ#2188542",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1370",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-493p-pfq6-5258",
          "url": "https://github.com/advisories/GHSA-493p-pfq6-5258"
        },
        {
          "category": "external",
          "summary": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
          "url": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/"
        }
      ],
      "release_date": "2023-03-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-15T09:03:50+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3622"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)"
    },
    {
      "cve": "CVE-2023-1436",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2023-03-29T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2182788"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jettison: Uncontrolled Recursion in JSONArray",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        ],
        "known_not_affected": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-1436"
        },
        {
          "category": "external",
          "summary": "RHBZ#2182788",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1436",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-1436"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436"
        },
        {
          "category": "external",
          "summary": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/",
          "url": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/"
        }
      ],
      "release_date": "2023-03-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-15T09:03:50+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3622"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jettison: Uncontrolled Recursion in JSONArray"
    },
    {
      "cve": "CVE-2023-20860",
      "cwe": {
        "id": "CWE-155",
        "name": "Improper Neutralization of Wildcards or Matching Symbols"
      },
      "discovery_date": "2023-03-21T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2180528"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        ],
        "known_not_affected": [
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-20860"
        },
        {
          "category": "external",
          "summary": "RHBZ#2180528",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-20860",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-20860"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860"
        },
        {
          "category": "external",
          "summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
          "url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
        }
      ],
      "release_date": "2023-03-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-15T09:03:50+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3622"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern"
    },
    {
      "cve": "CVE-2023-20861",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2023-03-21T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2180530"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "springframework: Spring Expression DoS Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        ],
        "known_not_affected": [
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-20861"
        },
        {
          "category": "external",
          "summary": "RHBZ#2180530",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180530"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-20861",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-20861"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861"
        },
        {
          "category": "external",
          "summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
          "url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
        }
      ],
      "release_date": "2023-03-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-15T09:03:50+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3622"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "springframework: Spring Expression DoS Vulnerability"
    },
    {
      "cve": "CVE-2023-27903",
      "cwe": {
        "id": "CWE-266",
        "name": "Incorrect Privilege Assignment"
      },
      "discovery_date": "2023-03-13T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2177632"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI\u2019s standard input. Affected versions of Jenkins create this temporary file in the default temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is used in the build.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Jenkins: Temporary file parameter created with insecure permissions",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        ],
        "known_not_affected": [
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-27903"
        },
        {
          "category": "external",
          "summary": "RHBZ#2177632",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177632"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-27903",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-27903"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27903",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27903"
        },
        {
          "category": "external",
          "summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058",
          "url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058"
        }
      ],
      "release_date": "2023-03-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-15T09:03:50+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3622"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Jenkins: Temporary file parameter created with insecure permissions"
    },
    {
      "cve": "CVE-2023-27904",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2023-03-13T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2177634"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Jenkins: Information disclosure through error stack traces related to agents",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
        ],
        "known_not_affected": [
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch",
          "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-27904"
        },
        {
          "category": "external",
          "summary": "RHBZ#2177634",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-27904",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-27904"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904"
        },
        {
          "category": "external",
          "summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120",
          "url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120"
        }
      ],
      "release_date": "2023-03-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-15T09:03:50+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3622"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch",
            "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Jenkins: Information disclosure through error stack traces related to agents"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.