First published: Wed Jan 13 2021(Updated: )
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jenkins | <0:2.263.3.1612433584-1.el7 | 0:2.263.3.1612433584-1.el7 |
redhat/conmon | <2:2.0.21-1.rhaos4.5.el7 | 2:2.0.21-1.rhaos4.5.el7 |
redhat/jenkins | <0:2.263.3.1612434332-1.el7 | 0:2.263.3.1612434332-1.el7 |
redhat/machine-config-daemon | <0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8 | 0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8 |
redhat/openshift | <0:4.5.0-202102050524.p0.git.0.9229406.el7 | 0:4.5.0-202102050524.p0.git.0.9229406.el7 |
redhat/openshift-ansible | <0:4.5.0-202102031005.p0.git.0.c6839a2.el7 | 0:4.5.0-202102031005.p0.git.0.c6839a2.el7 |
redhat/openshift-clients | <0:4.5.0-202102051529.p0.git.3612.61b096a.el8 | 0:4.5.0-202102051529.p0.git.3612.61b096a.el8 |
redhat/runc | <0:1.0.0-72.rhaos4.5.giteadfc6b.el8 | 0:1.0.0-72.rhaos4.5.giteadfc6b.el8 |
redhat/jenkins | <0:2.263.3.1612434510-1.el8 | 0:2.263.3.1612434510-1.el8 |
Jenkins Jenkins | <=2.263.1 | |
Jenkins Jenkins | <=2.274 | |
maven/org.jenkins-ci.main:jenkins-core | >=2.264<=2.274 | 2.275 |
maven/org.jenkins-ci.main:jenkins-core | <=2.263.1 | 2.263.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)