In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0777 advisory.

  - google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can     lead to improper authorization (CVE-2020-7692)

  - SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)

  - http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

  - snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

  - Jenkins plugin: CSRF vulnerability in Script Security Plugin (CVE-2022-30946)

  - Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin     (CVE-2022-30952)

  - Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  - Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  - jenkins: Observable timing discrepancy allows determining username validity (CVE-2022-34174)

  - jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git (CVE-2022-36882)

  - jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36883, CVE-2022-36884)

  - jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin (CVE-2022-36885)

  - jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin     (CVE-2022-43401, CVE-2022-43403, CVE-2022-43404)

  - jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)

  - jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin     (CVE-2022-43405)

  - jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy     Libraries Plugin (CVE-2022-43406)

  - jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step     Plugin (CVE-2022-43407)

  - jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View     Plugin (CVE-2022-43408)

  - jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin     (CVE-2022-43409)

  - mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

  - jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1     collisions (CVE-2022-45379)

  - jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)

  - jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin     (CVE-2022-45381)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0777 advisory.

  - PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use     of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the     client that issued the initial authorization request is the one that will be authorized. An attacker is     able to obtain the authorization code using a malicious app on the client-side and use it to gain     authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-     client before 1.31.0. (CVE-2020-7692)

  - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
    Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using     SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend     upgrading to version 2.0 and beyond. (CVE-2022-1471)

  - In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error     handling has a bug that can wind up not properly cleaning up the active connections and associated     resources. This can lead to a Denial of Service scenario where there are no enough resources left to     process good requests. (CVE-2022-2048)

  - The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due     missing to nested depth limitation for collections. (CVE-2022-25857)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08     and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
    (CVE-2022-30946)

  - Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure     permission to access credentials with attacker-specified IDs stored in the private per-user credentials     stores of any attacker-specified user in Jenkins. (CVE-2022-30952)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows     attackers to connect to an attacker-specified HTTP server. (CVE-2022-30953)

  - Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP     endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP     server. (CVE-2022-30954)

  - In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form     allows distinguishing between login attempts with an invalid username, and login attempts with a valid     username and wrong password, when using the Jenkins user database security realm. (CVE-2022-34174)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows     attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause     them to check out an attacker-specified commit. (CVE-2022-36882)

  - A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to     trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check     out an attacker-specified commit. (CVE-2022-36883)

  - The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers     information about the existence of jobs configured to use an attacker-specified Git repository.
    (CVE-2022-36884)

  - Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking     whether the provided and computed webhook signatures are equal, allowing attackers to use statistical     methods to obtain a valid webhook signature. (CVE-2022-36885)

  - A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime     in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to     define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute     arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43401)

  - A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime     in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to     define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute     arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43402)

  - A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script     Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run     sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the     context of the Jenkins controller JVM. (CVE-2022-43403)

  - A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated     synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows     attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox     protection and execute arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43404)

  - A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier     allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed     scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context     of the Jenkins controller JVM. (CVE-2022-43405)

  - A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966     and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run     sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the     context of the Jenkins controller JVM. (CVE-2022-43406)

  - Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the     optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for     the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to     configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection     of any target URL in Jenkins when the 'input' step is interacted with. (CVE-2022-43407)

  - Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps     when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure     Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any     target URL in Jenkins. (CVE-2022-43408)

  - Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly     encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting     (XSS) vulnerability exploitable by attackers able to create Pipelines. (CVE-2022-43409)

  - Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses     Java deserialization to load a serialized java.security.PrivateKey. The class is one of several     implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH     server. (CVE-2022-45047)

  - Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the     SHA-1 hash of the script, making it vulnerable to collision attacks. (CVE-2022-45379)

  - Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to     clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability     exploitable by attackers with Item/Configure permission. (CVE-2022-45380)

  - Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix     interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix     interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the     Jenkins controller file system. (CVE-2022-45381)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0697 advisory.

  - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
    Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using     SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend     upgrading to version 2.0 and beyond. (CVE-2022-1471)

  - In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form     allows distinguishing between login attempts with an invalid username, and login attempts with a valid     username and wrong password, when using the Jenkins user database security realm. (CVE-2022-34174)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0017 advisory.

  - In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error     handling has a bug that can wind up not properly cleaning up the active connections and associated     resources. This can lead to a Denial of Service scenario where there are no enough resources left to     process good requests. (CVE-2022-2048)

  - Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows     attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured     SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved     library in their pull request, even if the Pipeline is configured to not trust them. (CVE-2022-29047)

  - Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on     the classpath of Jenkins and Jenkins plugins in sandboxed pipelines. (CVE-2022-30945)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08     and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
    (CVE-2022-30946)

  - Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some     SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining     limited information about other projects' SCM contents. (CVE-2022-30948)

  - Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure     permission to access credentials with attacker-specified IDs stored in the private per-user credentials     stores of any attacker-specified user in Jenkins. (CVE-2022-30952)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows     attackers to connect to an attacker-specified HTTP server. (CVE-2022-30953)

  - Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP     endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP     server. (CVE-2022-30954)

  - In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form     allows distinguishing between login attempts with an invalid username, and login attempts with a valid     username and wrong password, when using the Jenkins user database security realm. (CVE-2022-34174)

  - Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results,     resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update     permission. (CVE-2022-34176)

  - Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file`     parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter     name without sanitization as a relative path inside a build-related directory, allowing attackers able to     configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with     attacker-specified content. (CVE-2022-34177)

  - jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client (CVE-2022-36881)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows     attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause     them to check out an attacker-specified commit. (CVE-2022-36882)

  - A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to     trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check     out an attacker-specified commit. (CVE-2022-36883)

  - The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers     information about the existence of jobs configured to use an attacker-specified Git repository.
    (CVE-2022-36884)

  - Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking     whether the provided and computed webhook signatures are equal, allowing attackers to use statistical     methods to obtain a valid webhook signature. (CVE-2022-36885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

  - Multiple cross-site scripting (XSS) vulnerabilities in Jenkins 2.355 and earlier, LTS 2.332.3 and earlier     allow attackers to inject HTML and JavaScript into the Jenkins UI: SECURITY-2779 (CVE-2022-34170): Since     Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing     the fix for SECURITY-1955. SECURITY-2761 (CVE-2022-34171): Since Jenkins 2.321 and LTS 2.332.1, the HTML     output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins     2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping. SECURITY-2776     (CVE-2022-34172): Since Jenkins 2.340, symbol-based icons unescape previously escaped values of tooltip     parameters. SECURITY-2780 (CVE-2022-34173): Since Jenkins 2.340, the tooltip of the build button in list     views supports HTML without escaping the job display name. These vulnerabilities are known to be     exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1     addresses these vulnerabilities: SECURITY-2779: The feature name in help icon tooltips is now escaped.
    SECURITY-2761: The title attribute of l:ionicon (Jenkins LTS 2.332.4) and alt attribute of l:icon (Jenkins     2.356 and LTS 2.346.1) are escaped in the generated HTML output. SECURITY-2776: Symbol-based icons no     longer unescape values of tooltip parameters. SECURITY-2780: The tooltip of the build button in list views     is now escaped. No Jenkins LTS release is affected by SECURITY-2776 or SECURITY-2780, as these were not     present in Jenkins 2.332.x and fixed in the 2.346.x line before 2.346.1. (CVE-2022-34170, CVE-2022-34171,     CVE-2022-34172, CVE-2022-34173)

  - In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form     allows distinguishing between login attempts with an invalid username, and login attempts with a valid     username and wrong password, when using the Jenkins user database security realm. This allows attackers to     determine the validity of attacker-specified usernames. Login attempts with an invalid username now     validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.
    (CVE-2022-34174)

  - Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of     several view fragments, enabling plugins to extend existing views with more content. Before SECURITY-534     was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could in some cases directly access a view fragment     containing sensitive information, bypassing any permission checks in the corresponding view. In Jenkins     2.335 through 2.355 (both inclusive), the protection added for SECURITY-534 is disabled for some views. As     a result, attackers could in very limited cases directly access a view fragment containing sensitive     information, bypassing any permission checks in the corresponding view. As of publication, the Jenkins     security team is unaware of any vulnerable view fragment across the Jenkins plugin ecosystem. Jenkins     2.356 restores the protection for affected views. (CVE-2022-34175)

  - JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results. This results     in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
    JUnit Plugin 1119.1121.vc43d0fc45561 applies the configured markup formatter to descriptions of test     results. (CVE-2022-34176)

  - Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier allows Pipeline authors to specify file     parameters for Pipeline input steps even though they are unsupported. Although the uploaded file is not     copied to the workspace, Jenkins archives the file on the controller as part of build metadata using the     parameter name without sanitization as a relative path inside a build-related directory. This allows     attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file     system with attacker-specified content. Pipeline: Input Step Plugin 449.v77f0e8b_845c4 prohibits use of     file parameters for Pipeline input steps. Attempts to use them will fail Pipeline execution.
    (CVE-2022-34177)

  - Embeddable Build Status Plugin 2.0.3 allows specifying a link query parameter that build status badges     will link to, without restricting possible values. This results in a reflected cross-site scripting (XSS)     vulnerability. Embeddable Build Status Plugin 2.0.4 limits URLs to http and https protocols and correctly     escapes the provided value. (CVE-2022-34178)

  - Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a style query parameter that is used to     choose a different SVG image style without restricting possible values. This results in a relative path     traversal vulnerability, allowing attackers without Overall/Read permission to specify paths to other SVG     images on the Jenkins controller file system. Embeddable Build Status Plugin 2.0.4 restricts the style     query parameter to one of the three legal values. (CVE-2022-34179)

  - Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission     check in the HTTP endpoint it provides for unprotected status badge access. This allows attackers     without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.
    Embeddable Build Status Plugin 2.0.4 requires ViewStatus permission to obtain the build status badge icon.
    (CVE-2022-34180)

  - xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified     directory if it doesn't exist, and parsing files inside it as test results. This allows attackers able to     control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test     results from existing files in an attacker-specified directory. xUnit Plugin 3.1.0 changes the message     type from agent-to-controller to controller-to-agent, preventing execution on the controller.
    (CVE-2022-34181)

  - Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters. This results in a     reflected cross-site scripting (XSS) vulnerability. Nested View Plugin 1.26 escapes search parameters.
    (CVE-2022-34182)

  - Multiple plugins do not escape the name and description of the parameter types they provide: Agent Server     Parameter 1.1 and earlier (SECURITY-2731 / CVE-2022-34183) CRX Content Package Deployer 1.9 and earlier     (SECURITY-2727 / CVE-2022-34184) Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185)     Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 / CVE-2022-34186) Filesystem List     Parameter 0.0.7 and earlier (SECURITY-2716 / CVE-2022-34187) Hidden Parameter Plugin 0.0.4 and earlier     (SECURITY-2755 / CVE-2022-34188) Image Tag Parameter 1.10 and earlier (SECURITY-2721 / CVE-2022-34189)     Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 / CVE-2022-34190) NS-ND Integration     Performance Publisher 4.8.0.77 and earlier (SECURITY-2736 / CVE-2022-34191) ontrack Jenkins 4.0.0 and     earlier (SECURITY-2733 / CVE-2022-34192) Package Version 1.0.1 and earlier (SECURITY-2735 /     CVE-2022-34193) Readonly Parameter 1.0.0 and earlier (SECURITY-2719 / CVE-2022-34194) Repository Connector     2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195) REST List Parameter Plugin 1.5.2 and earlier     (SECURITY-2730 / CVE-2022-34196) Sauce OnDemand 1.204 and earlier (SECURITY-2724 / CVE-2022-34197) Stash     Branch Parameter 0.3.0 and earlier (SECURITY-2725 / CVE-2022-34198) This results in stored cross-site     scripting (XSS) vulnerabilites exploitable by attackers with Item/Configure permission. Exploitation of     these vulnerabilities requires that parameters are listed on another page, like the Build With     Parameters and Parameters pages provided by Jenkins (core), and that those pages are not hardened to     prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the     Build With Parameters and Parameters pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 /     CVE-2017-2601 fix. Additionally, several plugins have previously been updated to list parameters in a way     that prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security advisory for a list.
    The following plugins have been updated to escape the name and description of the parameter types they     provide in the versions specified: REST List Parameter Plugin 1.6.0 Hidden Parameter Plugin 0.0.5 As of     publication of this advisory, there is no fix available for the following plugins: Agent Server Parameter     1.1 and earlier (SECURITY-2731 / CVE-2022-34183) CRX Content Package Deployer 1.9 and earlier     (SECURITY-2727 / CVE-2022-34184) Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185)     Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 / CVE-2022-34186) Filesystem List     Parameter 0.0.7 and earlier (SECURITY-2716 / CVE-2022-34187) Image Tag Parameter 1.10 and earlier     (SECURITY-2721 / CVE-2022-34189) Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 /     CVE-2022-34190) NS-ND Integration Performance Publisher 4.8.0.77 and earlier (SECURITY-2736 /     CVE-2022-34191) ontrack Jenkins 4.0.0 and earlier (SECURITY-2733 / CVE-2022-34192) Package Version 1.0.1     and earlier (SECURITY-2735 / CVE-2022-34193) Readonly Parameter 1.0.0 and earlier (SECURITY-2719 /     CVE-2022-34194) Repository Connector 2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195) Sauce OnDemand     1.204 and earlier (SECURITY-2724 / CVE-2022-34197) Stash Branch Parameter 0.3.0 and earlier (SECURITY-2725     / CVE-2022-34198) (CVE-2022-34183, CVE-2022-34184, CVE-2022-34185, CVE-2022-34186, CVE-2022-34187,     CVE-2022-34188, CVE-2022-34189, CVE-2022-34190, CVE-2022-34191, CVE-2022-34192, CVE-2022-34193,     CVE-2022-34194, CVE-2022-34195, CVE-2022-34196, CVE-2022-34197, CVE-2022-34198)

  - Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on     the Jenkins controller as part of its configuration. These passwords can be viewed by users with     Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this     advisory, there is no fix. (CVE-2022-34199)

  - Convertigo Mobile Platform Plugin 1.1 and earlier does not perform a permission check in a method     implementing form validation. This allows attackers with Overall/Read permission to connect to an     attacker-specified URL. Additionally, this form validation method does not require POST requests,     resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there     is no fix. (CVE-2022-34200, CVE-2022-34201)

  - EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file     EasyQAPluginProperties.xml on the Jenkins controller as part of its configuration. These passwords can be     viewed by users with access to the Jenkins controller file system. As of publication of this advisory,     there is no fix. (CVE-2022-34202)

  - EasyQA Plugin 1.0 and earlier does not perform a permission check in a method implementing form     validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP     server. Additionally, this form validation method does not require POST requests, resulting in a cross-     site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.
    (CVE-2022-34203, CVE-2022-34204)

  - Jianliao Notification Plugin 1.1 and earlier does not perform a permission check in a method implementing     form validation. This allows attackers with Overall/Read permission to send HTTP POST requests to an     attacker-specified URL. Additionally, this form validation method does not require POST requests,     resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there     is no fix. (CVE-2022-34205, CVE-2022-34206)

  - Beaker builder Plugin 1.10 and earlier does not perform a permission check in a method implementing form     validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
    Additionally, this form validation method does not require POST requests, resulting in a cross-site     request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.
    (CVE-2022-34207, CVE-2022-34208)

  - ThreadFix Plugin 1.5.4 and earlier does not perform a permission check in a method implementing form     validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
    Additionally, this form validation method does not require POST requests, resulting in a cross-site     request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.
    (CVE-2022-34209, CVE-2022-34210)

  - vRealize Orchestrator Plugin 3.0 and earlier does not perform a permission check in an HTTP endpoint. This     allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL.
    Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery     (CSRF) vulnerability. As of publication of this advisory, there is no fix. (CVE-2022-34211,     CVE-2022-34212)

  - Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global     configuration file org.jenkinsci.squashtm.core.SquashTMPublisher.xml on the Jenkins controller as part of     its configuration. These passwords can be viewed by users with access to the Jenkins controller file     system. As of publication of this advisory, there is no fix. (CVE-2022-34213)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.332.4 or Jenkins weekly prior to 2.356. It is, therefore, affected by multiple vulnerabilities:

  - Multiple cross-site scripting (XSS) vulnerabilities in Jenkins 2.355 and earlier, LTS 2.332.3 and earlier     allow attackers to inject HTML and JavaScript into the Jenkins UI: SECURITY-2779 (CVE-2022-34170): Since     Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing     the fix for SECURITY-1955. SECURITY-2761 (CVE-2022-34171): Since Jenkins 2.321 and LTS 2.332.1, the HTML     output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins     2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping. SECURITY-2776     (CVE-2022-34172): Since Jenkins 2.340, symbol-based icons unescape previously escaped values of tooltip     parameters. SECURITY-2780 (CVE-2022-34173): Since Jenkins 2.340, the tooltip of the build button in list     views supports HTML without escaping the job display name. These vulnerabilities are known to be     exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1     addresses these vulnerabilities: SECURITY-2779: The feature name in help icon tooltips is now escaped.
    SECURITY-2761: The title attribute of l:ionicon (Jenkins LTS 2.332.4) and alt attribute of l:icon (Jenkins     2.356 and LTS 2.346.1) are escaped in the generated HTML output. SECURITY-2776: Symbol-based icons no     longer unescape values of tooltip parameters. SECURITY-2780: The tooltip of the build button in list views     is now escaped. No Jenkins LTS release is affected by SECURITY-2776 or SECURITY-2780, as these were not     present in Jenkins 2.332.x and fixed in the 2.346.x line before 2.346.1. (CVE-2022-34170, CVE-2022-34171,     CVE-2022-34172, CVE-2022-34173)

  - In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form     allows distinguishing between login attempts with an invalid username, and login attempts with a valid     username and wrong password, when using the Jenkins user database security realm. This allows attackers to     determine the validity of attacker-specified usernames. Login attempts with an invalid username now     validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.
    (CVE-2022-34174)

  - Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of     several view fragments, enabling plugins to extend existing views with more content. Before SECURITY-534     was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could in some cases directly access a view fragment     containing sensitive information, bypassing any permission checks in the corresponding view. In Jenkins     2.335 through 2.355 (both inclusive), the protection added for SECURITY-534 is disabled for some views. As     a result, attackers could in very limited cases directly access a view fragment containing sensitive     information, bypassing any permission checks in the corresponding view. As of publication, the Jenkins     security team is unaware of any vulnerable view fragment across the Jenkins plugin ecosystem. Jenkins     2.356 restores the protection for affected views. (CVE-2022-34175)

  - JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results. This results     in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
    JUnit Plugin 1119.1121.vc43d0fc45561 applies the configured markup formatter to descriptions of test     results. (CVE-2022-34176)

  - Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier allows Pipeline authors to specify file     parameters for Pipeline input steps even though they are unsupported. Although the uploaded file is not     copied to the workspace, Jenkins archives the file on the controller as part of build metadata using the     parameter name without sanitization as a relative path inside a build-related directory. This allows     attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file     system with attacker-specified content. Pipeline: Input Step Plugin 449.v77f0e8b_845c4 prohibits use of     file parameters for Pipeline input steps. Attempts to use them will fail Pipeline execution.
    (CVE-2022-34177)

  - Embeddable Build Status Plugin 2.0.3 allows specifying a link query parameter that build status badges     will link to, without restricting possible values. This results in a reflected cross-site scripting (XSS)     vulnerability. Embeddable Build Status Plugin 2.0.4 limits URLs to http and https protocols and correctly     escapes the provided value. (CVE-2022-34178)

  - Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a style query parameter that is used to     choose a different SVG image style without restricting possible values. This results in a relative path     traversal vulnerability, allowing attackers without Overall/Read permission to specify paths to other SVG     images on the Jenkins controller file system. Embeddable Build Status Plugin 2.0.4 restricts the style     query parameter to one of the three legal values. (CVE-2022-34179)

  - Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission     check in the HTTP endpoint it provides for unprotected status badge access. This allows attackers     without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.
    Embeddable Build Status Plugin 2.0.4 requires ViewStatus permission to obtain the build status badge icon.
    (CVE-2022-34180)

  - xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified     directory if it doesn't exist, and parsing files inside it as test results. This allows attackers able to     control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test     results from existing files in an attacker-specified directory. xUnit Plugin 3.1.0 changes the message     type from agent-to-controller to controller-to-agent, preventing execution on the controller.
    (CVE-2022-34181)

  - Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters. This results in a     reflected cross-site scripting (XSS) vulnerability. Nested View Plugin 1.26 escapes search parameters.
    (CVE-2022-34182)

  - Multiple plugins do not escape the name and description of the parameter types they provide: Agent Server     Parameter 1.1 and earlier (SECURITY-2731 / CVE-2022-34183) CRX Content Package Deployer 1.9 and earlier     (SECURITY-2727 / CVE-2022-34184) Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185)     Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 / CVE-2022-34186) Filesystem List     Parameter 0.0.7 and earlier (SECURITY-2716 / CVE-2022-34187) Hidden Parameter Plugin 0.0.4 and earlier     (SECURITY-2755 / CVE-2022-34188) Image Tag Parameter 1.10 and earlier (SECURITY-2721 / CVE-2022-34189)     Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 / CVE-2022-34190) NS-ND Integration     Performance Publisher 4.8.0.77 and earlier (SECURITY-2736 / CVE-2022-34191) ontrack Jenkins 4.0.0 and     earlier (SECURITY-2733 / CVE-2022-34192) Package Version 1.0.1 and earlier (SECURITY-2735 /     CVE-2022-34193) Readonly Parameter 1.0.0 and earlier (SECURITY-2719 / CVE-2022-34194) Repository Connector     2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195) REST List Parameter Plugin 1.5.2 and earlier     (SECURITY-2730 / CVE-2022-34196) Sauce OnDemand 1.204 and earlier (SECURITY-2724 / CVE-2022-34197) Stash     Branch Parameter 0.3.0 and earlier (SECURITY-2725 / CVE-2022-34198) This results in stored cross-site     scripting (XSS) vulnerabilites exploitable by attackers with Item/Configure permission. Exploitation of     these vulnerabilities requires that parameters are listed on another page, like the Build With     Parameters and Parameters pages provided by Jenkins (core), and that those pages are not hardened to     prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the     Build With Parameters and Parameters pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 /     CVE-2017-2601 fix. Additionally, several plugins have previously been updated to list parameters in a way     that prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security advisory for a list.
    The following plugins have been updated to escape the name and description of the parameter types they     provide in the versions specified: REST List Parameter Plugin 1.6.0 Hidden Parameter Plugin 0.0.5 As of     publication of this advisory, there is no fix available for the following plugins: Agent Server Parameter     1.1 and earlier (SECURITY-2731 / CVE-2022-34183) CRX Content Package Deployer 1.9 and earlier     (SECURITY-2727 / CVE-2022-34184) Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185)     Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 / CVE-2022-34186) Filesystem List     Parameter 0.0.7 and earlier (SECURITY-2716 / CVE-2022-34187) Image Tag Parameter 1.10 and earlier     (SECURITY-2721 / CVE-2022-34189) Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 /     CVE-2022-34190) NS-ND Integration Performance Publisher 4.8.0.77 and earlier (SECURITY-2736 /     CVE-2022-34191) ontrack Jenkins 4.0.0 and earlier (SECURITY-2733 / CVE-2022-34192) Package Version 1.0.1     and earlier (SECURITY-2735 / CVE-2022-34193) Readonly Parameter 1.0.0 and earlier (SECURITY-2719 /     CVE-2022-34194) Repository Connector 2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195) Sauce OnDemand     1.204 and earlier (SECURITY-2724 / CVE-2022-34197) Stash Branch Parameter 0.3.0 and earlier (SECURITY-2725     / CVE-2022-34198) (CVE-2022-34183, CVE-2022-34184, CVE-2022-34185, CVE-2022-34186, CVE-2022-34187,     CVE-2022-34188, CVE-2022-34189, CVE-2022-34190, CVE-2022-34191, CVE-2022-34192, CVE-2022-34193,     CVE-2022-34194, CVE-2022-34195, CVE-2022-34196, CVE-2022-34197, CVE-2022-34198)

  - Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on     the Jenkins controller as part of its configuration. These passwords can be viewed by users with     Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this     advisory, there is no fix. (CVE-2022-34199)

  - Convertigo Mobile Platform Plugin 1.1 and earlier does not perform a permission check in a method     implementing form validation. This allows attackers with Overall/Read permission to connect to an     attacker-specified URL. Additionally, this form validation method does not require POST requests,     resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there     is no fix. (CVE-2022-34200, CVE-2022-34201)

  - EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file     EasyQAPluginProperties.xml on the Jenkins controller as part of its configuration. These passwords can be     viewed by users with access to the Jenkins controller file system. As of publication of this advisory,     there is no fix. (CVE-2022-34202)

  - EasyQA Plugin 1.0 and earlier does not perform a permission check in a method implementing form     validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP     server. Additionally, this form validation method does not require POST requests, resulting in a cross-     site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.
    (CVE-2022-34203, CVE-2022-34204)

  - Jianliao Notification Plugin 1.1 and earlier does not perform a permission check in a method implementing     form validation. This allows attackers with Overall/Read permission to send HTTP POST requests to an     attacker-specified URL. Additionally, this form validation method does not require POST requests,     resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there     is no fix. (CVE-2022-34205, CVE-2022-34206)

  - Beaker builder Plugin 1.10 and earlier does not perform a permission check in a method implementing form     validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
    Additionally, this form validation method does not require POST requests, resulting in a cross-site     request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.
    (CVE-2022-34207, CVE-2022-34208)

  - ThreadFix Plugin 1.5.4 and earlier does not perform a permission check in a method implementing form     validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
    Additionally, this form validation method does not require POST requests, resulting in a cross-site     request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.
    (CVE-2022-34209, CVE-2022-34210)

  - vRealize Orchestrator Plugin 3.0 and earlier does not perform a permission check in an HTTP endpoint. This     allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL.
    Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery     (CSRF) vulnerability. As of publication of this advisory, there is no fix. (CVE-2022-34211,     CVE-2022-34212)

  - Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global     configuration file org.jenkinsci.squashtm.core.SquashTMPublisher.xml on the Jenkins controller as part of     its configuration. These passwords can be viewed by users with access to the Jenkins controller file     system. As of publication of this advisory, there is no fix. (CVE-2022-34213)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.303.x prior to 2.303.30.0.14, or 2.x prior to 2.332.4.1 or 2.346.1.4. It is, therefore, affected by multiple vulnerabilities, including the following:

  - Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file`     parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter     name without sanitization as a relative path inside a build-related directory, allowing attackers able to     configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with     attacker-specified content. (CVE-2022-34177)

  - Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a     user-specified directory if it doesn't exist, and parsing files inside it as test results, allowing     attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to     obtain test results from existing files in an attacker-specified directory. (CVE-2022-34181)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins EasyQA Plugin 1.0 and earlier allows     attackers to connect to an attacker-specified HTTP server. (CVE-2022-34203)   Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 25be46f0-f25d-11ec-b62a-00e081b7aa2d advisory.

  - In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the     help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for     SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with     Job/Configure permission. (CVE-2022-34170)

  - In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the     HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until     Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting     in a cross-site scripting (XSS) vulnerability. (CVE-2022-34171)

  - In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of     'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability. (CVE-2022-34172)

  - In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports     HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability     exploitable by attackers with Job/Configure permission. (CVE-2022-34173)

  - In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form     allows distinguishing between login attempts with an invalid username, and login attempts with a valid     username and wrong password, when using the Jenkins user database security realm. (CVE-2022-34174)

  - Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection     mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any     permission checks in the corresponding view. (CVE-2022-34175)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
193747	RHEL 8 : OpenShift Container Platform 4.9.56 (RHSA-2023:0777)	Nessus	Red Hat Local Security Checks	critical
189442	RHCOS 4 : OpenShift Container Platform 4.9.56 (RHSA-2023:0777)	Nessus	Red Hat Local Security Checks	critical
189438	RHCOS 4 : OpenShift Container Platform 4.10.52 (RHSA-2023:0697)	Nessus	Red Hat Local Security Checks	critical
189418	RHCOS 4 : OpenShift Container Platform 4.8.56 (RHSA-2023:0017)	Nessus	Red Hat Local Security Checks	high
163259	Jenkins plugins Multiple Vulnerabilities (2022-06-22)	Nessus	CGI abuses	critical
163258	Jenkins LTS < 2.332.4 / Jenkins weekly < 2.356 Multiple Vulnerabilities	Nessus	CGI abuses	critical
162722	Jenkins Enterprise and Operations Center 2.303.x < 2.303.30.0.14 / 2.332.4.1 / 2.346.1.4 Multiple Vulnerabilities (CloudBees Security Advisory 2022-06-22)	Nessus	CGI abuses	critical
162511	FreeBSD : jenkins -- multiple vulnerabilities (25be46f0-f25d-11ec-b62a-00e081b7aa2d)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-34174

high

Tenable Plugins

critical

critical

critical

high

critical

critical

critical

high