First published: Wed Nov 15 2023(Updated: )
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.<br>Security Fix(es):<br><li> golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)</li> <li> HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)</li> A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.<br><li> snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)</li> <li> maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)</li> <li> apache-commons-text: variable interpolation RCE (CVE-2022-42889)</li> <li> jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)</li> <li> jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)</li> <li> jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jenkins | <2-plugins-4.14.1699356715-1.el8 | 2-plugins-4.14.1699356715-1.el8 |
redhat/jenkins | <2.414.3.1699356615-3.el8 | 2.414.3.1699356615-3.el8 |
redhat/jenkins | <2-plugins-4.14.1699356715-1.el8 | 2-plugins-4.14.1699356715-1.el8 |
redhat/jenkins | <2.414.3.1699356615-3.el8 | 2.414.3.1699356615-3.el8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.