Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0017 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing     Kubernetes application platform solution designed for on-premise or private     cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.56. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHBA-2023:0018

    Security Fix(es):

    * Pipeline Shared Groovy Libraries: Untrusted users can modify some     Pipeline libraries in Pipeline Shared Groovy Libraries Plugin     (CVE-2022-29047)
    * Jenkins plugin: Sandbox bypass vulnerability through implicitly     allowlisted platform Groovy files in Pipeline: Groovy Plugin     (CVE-2022-30945)
    * Jenkins plugin: Mercurial SCM plugin can check out from the controller     file system (CVE-2022-30948)
    * jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step     Plugin (CVE-2022-34177)
    * jenkins-plugin: Man-in-the-Middle (MitM) in     org.jenkins-ci.plugins:git-client (CVE-2022-36881)
    * http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
    * Jenkins plugin: CSRF vulnerability in Script Security Plugin     (CVE-2022-30946)
    * Jenkins plugin: User-scoped credentials exposed to other users by     Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
    * Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
    * Jenkins plugin: missing permission checks in Blue Ocean Plugin     (CVE-2022-30954)
    * jenkins: Observable timing discrepancy allows determining username     validity (CVE-2022-34174)
    * jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin     (CVE-2022-34176)
    * jenkins-plugin: Cross-site Request Forgery (CSRF) in     org.jenkins-ci.plugins:git (CVE-2022-36882)
    * jenkins plugin: Lack of authentication mechanism in Git Plugin webhook     (CVE-2022-36883)
    * jenkins plugin: Lack of authentication mechanism in Git Plugin webhook     (CVE-2022-36884)
    * jenkins plugin: Non-constant time webhook signature comparison in GitHub     Plugin (CVE-2022-36885)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s)     listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1064 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin     (CVE-2022-43401)

    * jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)

    * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin     (CVE-2022-43403)

    * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin     (CVE-2022-43404)

    * jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin     (CVE-2022-43405)

    * jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy     Libraries Plugin (CVE-2022-43406)

    * Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared     Groovy Libraries Plugin (CVE-2022-29047)

    * jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step     Plugin (CVE-2022-43407)

    * mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

    * Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin     (CVE-2022-30952)

    * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

    * jackson-databind: use of deeply nested arrays (CVE-2022-42004)

    * jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View     Plugin (CVE-2022-43408)

    * jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin     (CVE-2022-43409)

    * jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin     (CVE-2022-43410)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0017 advisory.

  - In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error     handling has a bug that can wind up not properly cleaning up the active connections and associated     resources. This can lead to a Denial of Service scenario where there are no enough resources left to     process good requests. (CVE-2022-2048)

  - Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows     attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured     SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved     library in their pull request, even if the Pipeline is configured to not trust them. (CVE-2022-29047)

  - Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on     the classpath of Jenkins and Jenkins plugins in sandboxed pipelines. (CVE-2022-30945)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08     and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
    (CVE-2022-30946)

  - Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some     SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining     limited information about other projects' SCM contents. (CVE-2022-30948)

  - Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure     permission to access credentials with attacker-specified IDs stored in the private per-user credentials     stores of any attacker-specified user in Jenkins. (CVE-2022-30952)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows     attackers to connect to an attacker-specified HTTP server. (CVE-2022-30953)

  - Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP     endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP     server. (CVE-2022-30954)

  - In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form     allows distinguishing between login attempts with an invalid username, and login attempts with a valid     username and wrong password, when using the Jenkins user database security realm. (CVE-2022-34174)

  - Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results,     resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update     permission. (CVE-2022-34176)

  - Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file`     parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter     name without sanitization as a relative path inside a build-related directory, allowing attackers able to     configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with     attacker-specified content. (CVE-2022-34177)

  - jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client (CVE-2022-36881)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows     attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause     them to check out an attacker-specified commit. (CVE-2022-36882)

  - A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to     trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check     out an attacker-specified commit. (CVE-2022-36883)

  - The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers     information about the existence of jobs configured to use an attacker-specified Git repository.
    (CVE-2022-36884)

  - Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking     whether the provided and computed webhook signatures are equal, allowing attackers to use statistical     methods to obtain a valid webhook signature. (CVE-2022-36885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:4909 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing     Kubernetes application platform solution designed for on-premise or private     cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.52. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHBA-2022:4910

    Security Fix(es):

    * Pipeline Shared Groovy Libraries: Untrusted users can modify some     Pipeline libraries in Pipeline Shared Groovy Libraries Plugin     (CVE-2022-29047)
    * subversion: Stored XSS vulnerabilities in Jenkins subversion plugin     (CVE-2022-29046)
    * credentials: Stored XSS vulnerabilities in jenkins plugin     (CVE-2022-29036)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s)     listed in the References section.

    All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its their self-reported version number, the version of Jenkins plugins running on the remote web server are Jenkins CVS Plugin prior to 2.19.1, Credentials Plugin prior to 1112., Extended Choice Parameter Plugin 346. or earlier, Gerrit Trigger Plugin prior to 2.35.3, Git Parameter Plugin prior to 0.9.16, Google Compute Engine Plugin prior to 4.3.9, Jira Plugin prior to 3.7.1, Job Generator Plugin 1.22 or earlier, Mask Passwords Plugin prior to 3.1, Node and Label parameter Plugin prior to 1.10.3.1, Pipeline: Shared Groovy Libraries Plugin prior to 566., Publish Over FTP Plugin prior to 1.17, Subversion Plugin prior to 2.15.4, promoted builds Plugin prior to 876.. They are, therefore, affected by multiple vulnerabilities:

  - Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4,     1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters     on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable     by attackers with Item/Configure permission. (CVE-2022-29036)

  - Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the name and     description of Extended Choice parameters on views displaying parameters, resulting in a stored cross-site     scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. (CVE-2022-29038)

  - Jenkins Gerrit Trigger Plugin 2.35.2 and earlier does not escape the name and description of Base64     Encoded String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS)     vulnerability exploitable by attackers with Item/Configure permission. (CVE-2022-29039)

  - Jenkins Git Parameter Plugin 0.9.15 and earlier does not escape the name and description of Git parameters     on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable     by attackers with Item/Configure permission. (CVE-2022-29040)

  - Jenkins Jira Plugin 3.7 and earlier, except 3.6.1, does not escape the name and description of Jira Issue     and Jira Release Version parameters on views displaying parameters, resulting in a stored cross-site     scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. (CVE-2022-29041)

  - Jenkins Job Generator Plugin 1.22 and earlier does not escape the name and description of Generator     Parameter and Generator Choice parameters on Job Generator jobs' Build With Parameters views, resulting in     a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
    (CVE-2022-29042)

  - Jenkins Mask Passwords Plugin 3.0 and earlier does not escape the name and description of Non-Stored     Password parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS)     vulnerability exploitable by attackers with Item/Configure permission. (CVE-2022-29043)

  - Jenkins Node and Label parameter Plugin 1.10.3 and earlier does not escape the name and description of     Node and Label parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS)     vulnerability exploitable by attackers with Item/Configure permission. (CVE-2022-29044)

  - Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and     description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site     scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. (CVE-2022-29045)

  - Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion     tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting     (XSS) vulnerability exploitable by attackers with Item/Configure permission. (CVE-2022-29046)

  - Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows     attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured     SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved     library in their pull request, even if the Pipeline is configured to not trust them. (CVE-2022-29047)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows     attackers to connect to an attacker-specified URL. (CVE-2022-29048)

  - Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names     of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion     with an unsafe name. (CVE-2022-29049)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier     allows attackers to connect to an FTP server using attacker-specified credentials. (CVE-2022-29050)

  - Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with     Overall/Read permission to connect to an FTP server using attacker-specified credentials. (CVE-2022-29051)

  - Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent     config.xml files on the Jenkins controller where they can be viewed by users with Extended Read     permission, or access to the Jenkins controller file system. (CVE-2022-29052)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:2205 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing     Kubernetes application platform solution designed for on-premise or private     cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.33. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHBA-2022:2206

    Security Fix(es):

    * Jira: Stored XSS vulnerabilities in Jenkins Jira plugin (CVE-2022-29041)
    * subversion: Stored XSS vulnerabilities in Jenkins subversion plugin     (CVE-2022-29046)
    * Pipeline Shared Groovy Libraries: Untrusted users can modify some     Pipeline libraries in Pipeline Shared Groovy Libraries Plugin     (CVE-2022-29047)
    * credentials: Stored XSS vulnerabilities in jenkins plugin     (CVE-2022-29036)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    All OpenShift Container Platform 4.9 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.303.x prior to 2.303.30.0.10, or 2.x prior to 2.332.2.6. It is, therefore, affected by multiple vulnerabilities, including the following:

  - Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows     attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured     SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved     library in their pull request, even if the Pipeline is configured to not trust them. (CVE-2022-29047)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows     attackers to connect to an attacker-specified URL. (CVE-2022-29048)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier     allows attackers to connect to an FTP server using attacker-specified credentials. (CVE-2022-29050)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194338	RHEL 8 : OpenShift Container Platform 4.8.56 (RHSA-2023:0017)	Nessus	Red Hat Local Security Checks	high
194221	RHEL 8 : OpenShift Developer Tools and Services for OCP 4.12 (RHSA-2023:1064)	Nessus	Red Hat Local Security Checks	critical
189418	RHCOS 4 : OpenShift Container Platform 4.8.56 (RHSA-2023:0017)	Nessus	Red Hat Local Security Checks	high
164855	RHEL 8 : OpenShift Container Platform 4.7.52 paackages (RHSA-2022:4909)	Nessus	Red Hat Local Security Checks	medium
161440	Jenkins plugins Multiple Vulnerabilities (2022-04-12)	Nessus	CGI abuses	high
161355	RHEL 8 : OpenShift Container Platform 4.9.33 (RHSA-2022:2205)	Nessus	Red Hat Local Security Checks	medium
161210	Jenkins Enterprise and Operations Center 2.303.x < 2.303.30.0.10 / 2.332.2.6 Multiple Vulnerabilities (CloudBees Security Advisory 2022-04-12)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2022-29047

medium

Tenable Plugins

high

critical

high

medium

high

medium

high