Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2023:3610
HistoryJun 15, 2023 - 12:10 a.m.

(RHSA-2023:3610) Important: jenkins and jenkins-2-plugins security update

2023-06-1500:10:54
access.redhat.com
17
continuous integration server
security fix
command injection
uncontrolled resource consumption
security bypass
sandbox bypass
stored xss
csrf vulnerability
missing permission checks
dos vulnerability
arbitrary file write
memory exhaustion

0.025 Low

EPSS

Percentile

90.3%

JSON

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

  • maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

  • json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)

  • springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

  • jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

  • jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)

  • jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)

  • Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  • Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  • jettison: parser crash by stackoverflow (CVE-2022-40149)

  • net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)

  • jettison: If the value in map is the map’s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)

  • springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

  • jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)

  • jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Related

nessus 29
redhat 7
openvas 10
osv 28
ubuntu 1
debian 3
ibm 22
spring 1
redhatcve 10
amazon 2
prion 9
cve 11
alpinelinux 2
veracode 10
cvelist 9
github 12
ubuntucve 5
nvd 11
atlassian 4
debiancve 5
oraclelinux 1
f5 2
broadcom 1
wolfi 1
almalinux 2
cnvd 1
nessus
nessus
RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3610)
2024-04-28 00:00:00
RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3622)
2024-04-28 00:00:00
Debian DSA-5312-1 : libjettison-java - security update
2023-01-11 00:00:00
redhat
redhat
(RHSA-2023:3622) Important: jenkins and jenkins-2-plugins security update
2023-06-15 08:57:39
(RHSA-2023:3771) Important: Red Hat Virtualization security and bug fix update
2023-06-21 19:50:23
(RHSA-2023:3625) Important: OpenShift Container Platform 4.10.62 security update
2023-06-23 17:32:40
openvas
openvas
Debian: Security Advisory (DSA-5312-1)
2023-01-12 00:00:00
Ubuntu: Security Advisory (USN-6177-1)
2023-06-20 00:00:00
VMware Spring Framework 5.3.x < 5.3.26, 6.0.x < 6.0.7 Security Bypass Vulnerability - Windows
2023-03-21 00:00:00
osv
osv
libjettison-java vulnerabilities
2023-06-19 11:39:43
libjettison-java - security update
2023-01-10 00:00:00
libjettison-java - security update
2022-12-31 00:00:00
ubuntu
ubuntu
Jettison vulnerabilities
2023-06-19 00:00:00
debian
debian
[SECURITY] [DSA 5312-1] libjettison-java security update
2023-01-10 23:10:35
[SECURITY] [DLA 3259-1] libjettison-java security update
2022-12-31 17:25:15
[SECURITY] [DLA 3184-1] libjettison-java security update
2022-11-10 11:04:03
ibm
ibm
Security Bulletin: Vulnerability in Jettison affects IBM Process Mining . Multiple CVEs
2024-01-05 16:45:03
Security Bulletin: IBM Operational Decision Manager April 2023 - Multiple CVEs
2023-05-22 09:01:51
Security Bulletin: IBM UrbanCode Deploy (UCD) is vulnerable to denial of service due to Jettison-json (CVE-2022-40149, CVE-2022-40150)
2022-11-28 14:09:17
spring
spring
This Week in Spring - March 21st, 2023
2023-03-21 00:00:00
redhatcve
redhatcve
CVE-2023-20860
2023-03-24 13:07:33
CVE-2023-20861
2023-03-24 13:07:29
CVE-2023-24422
2023-01-25 04:05:54
amazon
amazon
Important: jettison
2023-06-07 23:52:00
Medium: jettison
2023-11-29 22:20:00
prion
prion
Cross site scripting
2023-05-16 16:15:00
Security feature bypass
2023-01-26 21:18:00
Arbitrary file deletion
2023-05-16 16:15:00
cve
cve
CVE-2023-32977
2023-05-16 16:15:10
CVE-2023-20861
2023-03-23 21:15:19
CVE-2023-32981
2023-05-16 16:15:10
alpinelinux
alpinelinux
CVE-2023-32977
2023-05-16 16:15:10
CVE-2023-24422
2023-01-26 21:18:16
veracode
veracode
Cross-site Scripting (XSS)
2023-05-28 14:43:44
Security Bypass
2023-03-30 02:11:25
Denial Of Service (DoS)
2022-12-14 08:43:03
cvelist
cvelist
CVE-2023-32977
2023-05-16 15:59:58
CVE-2023-24422
2023-01-24 00:00:00
CVE-2023-32981
2023-05-16 16:00:03
github
github
Jenkins Pipeline: Job Plugin vulnerable to stored Cross-site Scripting
2023-05-16 18:30:16
Sandbox bypass in Jenkins Script Security Plugin
2023-01-26 21:30:19
Jettison parser crash by stackoverflow
2022-09-17 00:00:41
ubuntucve
ubuntucve
CVE-2023-20861
2023-03-23 00:00:00
CVE-2023-20860
2023-03-27 00:00:00
CVE-2022-45693
2022-12-13 00:00:00
nvd
nvd
CVE-2023-32977
2023-05-16 16:15:10
CVE-2023-32981
2023-05-16 16:15:10
CVE-2023-20860
2023-03-27 22:15:21
atlassian
atlassian
DoS (Denial of Service) org.codehaus.jettison:jettison Dependency in Jira Software Data Center and Server
2024-02-14 10:47:01
DoS (Denial of Service) org.codehaus.jettison:jettison Dependency in Jira Software Data Center and Server
2024-02-14 10:46:54
jackson-databind Vulnerability in Jira Service Management Data Center and Server
2023-10-09 01:44:33
debiancve
debiancve
CVE-2022-40149
2022-09-16 10:15:09
CVE-2022-40150
2022-09-16 10:15:09
CVE-2023-20860
2023-03-27 22:15:21
oraclelinux
oraclelinux
maven-shared-utils security update
2022-04-29 00:00:00
f5
f5
K000134681 : Spring Framework vulnerability CVE-2023-20861
2023-05-19 00:00:00
K000134500 : Spring Framework vulnerability CVE-2023-20860
2023-05-08 00:00:00
broadcom
broadcom
Spring Expression DoS Vulnerability (CVE-2023-20861)
2024-04-16 00:00:00
wolfi
wolfi
CVE-2021-46877 vulnerabilities
2024-05-29 03:07:31
almalinux
almalinux
Important: maven:3.5 security update
2022-05-30 11:39:15
Important: maven:3.6 security update
2022-05-30 11:39:17
cnvd
cnvd
Apache Maven Command Injection Vulnerability
2022-04-28 00:00:00

0.025 Low

EPSS

Percentile

90.3%

JSON
Related for RHSA-2023:3610
nessus29redhat7openvas10osv28ubuntu1debian3ibm22spring1redhatcve10amazon2prion9cve11alpinelinux2veracode10cvelist9github12ubuntucve5nvd11atlassian4debiancve5oraclelinux1f52broadcom1wolfi1almalinux2cnvd1