RHSA-2024:0778HighCVSS 9.8

Red Hat Security Advisory: Jenkins and Jenkins-2-plugins security update

Published
February 12, 2024
Last Modified
June 29, 2026

🔗 CVE IDs covered (24)

📋 Description

CVE-2020-7692 — google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization CVE-2021-26291 — maven: Block repositories using http by default CVE-2022-1962 — golang: go/parser: stack exhaustion in all Parse* functions CVE-2022-25857 — snakeyaml: Denial of Service due to missing nested depth limitation for collections CVE-2022-29599 — maven-shared-utils: Command injection via Commandline class CVE-2022-42889 — apache-commons-text: variable interpolation RCE CVE-2023-2976 — guava: insecure temporary directory creation CVE-2023-20861 — springframework: Spring Expression DoS Vulnerability CVE-2023-20862 — spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout CVE-2023-24422 — jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin CVE-2023-25761 — jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin CVE-2023-25762 — jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin CVE-2023-26048 — jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() CVE-2023-26049 — jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies CVE-2023-27903 — Jenkins: Temporary file parameter created with insecure permissions CVE-2023-27904 — Jenkins: Information disclosure through error stack traces related to agents CVE-2023-37947 — Jenkins: Open redirect vulnerability in OpenShift Login Plugin CVE-2023-40167 — jetty: Improper validation of HTTP/1 content-length CVE-2023-40337 — jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin CVE-2023-40338 — jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin CVE-2023-40339 — jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin CVE-2023-40341 — jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials CVE-2024-23897 — jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE CVE-2024-23898 — jenkins: cross-site WebSocket hijacking

🔗 References (57)