Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/92334?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/92334?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1?arch=el8", "type": "rpm", "namespace": "redhat", "name": "jenkins-2-plugins", "version": "4.12.1730119231-1", "qualifiers": { "arch": "el8" }, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15758?format=api", "vulnerability_id": "VCID-1bh8-3gb1-4ben", "summary": "Spring Framework vulnerable to Denial of Service\nIn Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Older, unsupported versions are also affected.\n\nSpecifically, an application is vulnerable when the following is true:\n\n * The application evaluates user-supplied SpEL expressions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38808.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38808.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-38808", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.74251", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.7426", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.7425", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.74212", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.7422", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.74238", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.74202", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.74169", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.74217", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.74196", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00809", "scoring_system": "epss", "scoring_elements": "0.7417", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-38808" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38808", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38808" }, { "reference_url": "https://github.com/spring-projects/spring-framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-framework" }, { "reference_url": "https://github.com/spring-projects/spring-framework/commit/26f2dad388499faecf99e75b8856788e95d8d658", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-framework/commit/26f2dad388499faecf99e75b8856788e95d8d658" }, { "reference_url": "https://github.com/spring-projects/spring-framework/commit/f44d13cb7816e586b86c02421af4f5498391111c", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-framework/commit/f44d13cb7816e586b86c02421af4f5498391111c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38808", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38808" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240920-0002", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240920-0002" }, { "reference_url": "https://spring.io/security/cve-2024-38808", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-20T13:48:27Z/" } ], "url": "https://spring.io/security/cve-2024-38808" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305959", "reference_id": "2305959", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305959" }, { "reference_url": "https://github.com/advisories/GHSA-9cmq-m9j5-mvww", "reference_id": "GHSA-9cmq-m9j5-mvww", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9cmq-m9j5-mvww" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8884", "reference_id": "RHSA-2024:8884", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8884" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8885", "reference_id": "RHSA-2024:8885", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8885" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8886", "reference_id": "RHSA-2024:8886", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8886" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8887", "reference_id": "RHSA-2024:8887", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8887" } ], "fixed_packages": [], "aliases": [ "CVE-2024-38808", "GHSA-9cmq-m9j5-mvww" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1bh8-3gb1-4ben" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12557?format=api", "vulnerability_id": "VCID-jarz-xtnw-ufbz", "summary": "Jenkins exposes multi-line secrets through error messages\nJenkins \n\nJenkins provides the `secretTextarea` form field for multi-line secrets.\n\nJenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.\n\nThis can result in exposure of multi-line secrets through those error messages, e.g., in the system log.\n\nJenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47803.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47803.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47803", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70312", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70222", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70268", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70284", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70307", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70293", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.7028", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70321", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70331", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70229", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0063", "scoring_system": "epss", "scoring_elements": "0.70245", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47803" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47803", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47803" }, { "reference_url": "https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T16:31:49Z/" } ], "url": "https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316137", "reference_id": "2316137", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316137" }, { "reference_url": "https://github.com/advisories/GHSA-pj95-ph4q-4qm4", "reference_id": "GHSA-pj95-ph4q-4qm4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pj95-ph4q-4qm4" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8884", "reference_id": "RHSA-2024:8884", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8884" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8885", "reference_id": "RHSA-2024:8885", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8885" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8886", "reference_id": "RHSA-2024:8886", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8886" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8887", "reference_id": "RHSA-2024:8887", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8887" } ], "fixed_packages": [], "aliases": [ "CVE-2024-47803", "GHSA-pj95-ph4q-4qm4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jarz-xtnw-ufbz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11835?format=api", "vulnerability_id": "VCID-mkf8-a5k3-83fs", "summary": "Improper Certificate Validation\nApache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of \"man in the middle\" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44549.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44549.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-44549", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40148", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40094", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40243", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40268", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.4019", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40254", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40265", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40227", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40208", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40255", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40224", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-44549" }, { "reference_url": "https://github.com/eclipse-ee4j", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/eclipse-ee4j" }, { "reference_url": "https://github.com/eclipse-ee4j/mail/issues/429", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/eclipse-ee4j/mail/issues/429" }, { "reference_url": "https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html" }, { "reference_url": "https://javaee.github.io/javamail/docs/SSLNOTES.txt", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://javaee.github.io/javamail/docs/SSLNOTES.txt" }, { "reference_url": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315808", "reference_id": "2315808", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315808" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44549", "reference_id": "CVE-2021-44549", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44549" }, { "reference_url": "https://github.com/advisories/GHSA-c69w-jj56-834w", "reference_id": "GHSA-c69w-jj56-834w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c69w-jj56-834w" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:7670", "reference_id": "RHSA-2024:7670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:7670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:7676", "reference_id": "RHSA-2024:7676", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:7676" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8884", "reference_id": "RHSA-2024:8884", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8884" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8885", "reference_id": "RHSA-2024:8885", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8885" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8886", "reference_id": "RHSA-2024:8886", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8886" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8887", "reference_id": "RHSA-2024:8887", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8887" } ], "fixed_packages": [], "aliases": [ "CVE-2021-44549", "GHSA-c69w-jj56-834w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mkf8-a5k3-83fs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19074?format=api", "vulnerability_id": "VCID-qnbx-c635-hqer", "summary": "Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies\nJenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.\n\nMultiple sandbox bypass vulnerabilities exist in Script Security Plugin 1335.vf07d9ce377a_e and earlier:\n\n- Crafted constructor bodies that invoke other constructors can be used to construct any subclassable type via implicit casts.\n\n- Sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type.\n\nThese vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.\n\n- These issues are caused by an incomplete fix of [SECURITY-2824](https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)).\n\nScript Security Plugin 1336.vf33a_a_9863911 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox:\n\n- Calls to to other constructors using this are now intercepted by the sandbox.\n\n- Classes in packages that can be shadowed by Groovy-defined classes are no longer ignored by the sandbox when intercepting super constructor calls.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34144", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97832", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97806", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97821", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97818", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97815", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97811", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97808", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97833", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.9783", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97824", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.50053", "scoring_system": "epss", "scoring_elements": "0.97823", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34144" }, { "reference_url": "https://github.com/jenkinsci/script-security-plugin", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/script-security-plugin" }, { "reference_url": "https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34144", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34144" }, { "reference_url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:28:35Z/" } ], "url": "https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/05/02/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:28:35Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/05/02/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278820", "reference_id": "2278820", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278820" }, { "reference_url": "https://github.com/advisories/GHSA-v63g-v339-2673", "reference_id": "GHSA-v63g-v339-2673", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v63g-v339-2673" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:3634", "reference_id": "RHSA-2024:3634", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:3634" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:3635", "reference_id": "RHSA-2024:3635", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:3635" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:3636", "reference_id": "RHSA-2024:3636", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:3636" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4597", "reference_id": "RHSA-2024:4597", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4597" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8886", "reference_id": "RHSA-2024:8886", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8886" } ], "fixed_packages": [], "aliases": [ "CVE-2024-34144", "GHSA-v63g-v339-2673" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qnbx-c635-hqer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11960?format=api", "vulnerability_id": "VCID-vpxs-mxz3-xqch", "summary": "Jenkins item creation restriction bypass vulnerability\nJenkins provides APIs for fine-grained control of item creation:\n\n- Authorization strategies can prohibit the creation of items of a given type in a given item group (`ACL#hasCreatePermission2`).\n\n- Item types can prohibit creation of new instances in a given item group (`TopLevelItemDescriptor#isApplicableIn(ItemGroup)`).\n\nIf an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk.\n\nThis allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it.\n\nIf an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47804.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47804.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47804", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63601", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63573", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63538", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.6359", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63607", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63622", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63606", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63609", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63618", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63545", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47804" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47804", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47804" }, { "reference_url": "https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T16:31:07Z/" } ], "url": "https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316131", "reference_id": "2316131", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316131" }, { "reference_url": "https://github.com/advisories/GHSA-f9qj-77q2-h5c5", "reference_id": "GHSA-f9qj-77q2-h5c5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f9qj-77q2-h5c5" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8884", "reference_id": "RHSA-2024:8884", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8884" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8885", "reference_id": "RHSA-2024:8885", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8885" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8886", "reference_id": "RHSA-2024:8886", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8886" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8887", "reference_id": "RHSA-2024:8887", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8887" } ], "fixed_packages": [], "aliases": [ "CVE-2024-47804", "GHSA-f9qj-77q2-h5c5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vpxs-mxz3-xqch" } ], "fixing_vulnerabilities": [], "risk_score": "4.4", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1%3Farch=el8" }