Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
🔗 CVE IDs covered (22)
📋 Description
CVE-2021-26291 — maven: Block repositories using http by default CVE-2022-1471 — SnakeYaml: Constructor Deserialization Remote Code Execution CVE-2022-25857 — snakeyaml: Denial of Service due to missing nested depth limitation for collections CVE-2022-29599 — maven-shared-utils: Command injection via Commandline class CVE-2022-30953 — plugin: CSRF vulnerability in Blue Ocean Plugin CVE-2022-30954 — plugin: missing permission checks in Blue Ocean Plugin CVE-2022-42889 — apache-commons-text: variable interpolation RCE CVE-2022-43401 — jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin CVE-2022-43402 — jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin CVE-2022-43403 — jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin CVE-2022-43404 — jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin CVE-2022-43405 — jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin CVE-2022-43406 — jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin CVE-2022-43407 — jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin CVE-2022-43408 — jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin CVE-2022-43409 — jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin CVE-2022-45047 — mina-sshd: Java unsafe deserialization vulnerability CVE-2023-24422 — jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin CVE-2023-25761 — jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin CVE-2023-25762 — jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin CVE-2023-27903 — Jenkins: Temporary file parameter created with insecure permissions CVE-2023-27904 — Jenkins: Information disclosure through error stack traces related to agents
🔗 References (26)
- selfhttps://access.redhat.com/errata/RHSA-2023:3198
- externalhttps://access.redhat.com/security/updates/classification/#critical
- externalhttps://docs.openshift.com/container-platform/4.11/cicd/jenkins/important-changes-to-openshift-jenkins-images.html
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1955739
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2066479
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2119646
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2119647
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2126789
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2135435
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2136370
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2136374
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2136379
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2136381
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2136382
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2136383
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2136386
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2136388
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2136391
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2145194
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2150009
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2164278
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2170039
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2170041
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2177632
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2177634
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3198.json