Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/97035?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/97035?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1?arch=el8", "type": "rpm", "namespace": "redhat", "name": "jenkins-2-plugins", "version": "4.11.1683009941-1", "qualifiers": { "arch": "el8" }, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51668?format=api", "vulnerability_id": "VCID-1tha-u7dt-tfc9", "summary": "Sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin\nPipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin (formerly Pipeline: Shared Groovy Libraries Plugin) define the l`ibrary` Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be used to instantiate classes defined in the loaded library.\n\nIn Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier and in Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier, the `library` step can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type. This is similar to SECURITY-582 in the [2017-08-07 security advisory](https://www.jenkins.io/security/advisory/2017-08-07/#multiple-groovy-language-features-allowed-script-security-plugin-sandbox-bypass), but in a different plugin.\n\nThis vulnerability allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.\n\nPipeline: Groovy Libraries Plugin 613.v9c41a_160233f rejects improper calls to sandbox-generated synthetic constructors when using the `library` step.\n\nPipeline: Deprecated Groovy Libraries Plugin 588.v576c103a_ff86 no longer contains the `library` step. It has been moved into the Pipeline: Groovy Libraries Plugin.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43406.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43406.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43406", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.39872", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40175", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40137", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40118", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40168", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40139", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40059", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.39888", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40152", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40178", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.401", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40165", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43406" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370", "reference_id": "2136370", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370" }, { "reference_url": "https://github.com/advisories/GHSA-7qw2-h9gj-hcvh", "reference_id": "GHSA-7qw2-h9gj-hcvh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7qw2-h9gj-hcvh" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "fixed_packages": [], "aliases": [ "CVE-2022-43406", "GHSA-7qw2-h9gj-hcvh" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "8.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1tha-u7dt-tfc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52008?format=api", "vulnerability_id": "VCID-2zhb-qfhq-xkdp", "summary": "Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin and Pipeline: Deprecated Groovy Libraries Plugin\nPipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin (formerly Pipeline: Shared Groovy Libraries Plugin) define the l`ibrary` Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be used to instantiate classes defined in the loaded library.\n\nIn Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier and in Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier, the `library` step can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type. This is similar to SECURITY-582 in the [2017-08-07 security advisory](https://www.jenkins.io/security/advisory/2017-08-07/#multiple-groovy-language-features-allowed-script-security-plugin-sandbox-bypass), but in a different plugin.\n\nThis vulnerability allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.\n\nPipeline: Groovy Libraries Plugin 613.v9c41a_160233f rejects improper calls to sandbox-generated synthetic constructors when using the `library` step.\n\nPipeline: Deprecated Groovy Libraries Plugin 588.v576c103a_ff86 no longer contains the `library` step. It has been moved into the Pipeline: Groovy Libraries Plugin.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43405.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43405.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43405", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.39872", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40175", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40137", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40118", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40168", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40139", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40059", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.39888", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40152", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40178", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.401", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40165", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43405" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374", "reference_id": "2136374", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374" }, { "reference_url": "https://github.com/advisories/GHSA-4hjj-9gp7-4frg", "reference_id": "GHSA-4hjj-9gp7-4frg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hjj-9gp7-4frg" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "fixed_packages": [], "aliases": [ "CVE-2022-43405", "GHSA-4hjj-9gp7-4frg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "8.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2zhb-qfhq-xkdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15957?format=api", "vulnerability_id": "VCID-4qvq-xv22-xbed", "summary": "Missing Authorization\nJenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30954.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30954.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-30954", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40224", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.402", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41655", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.4174", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.4179", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.418", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41823", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41777", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41826", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41728", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41654", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-30954" }, { "reference_url": "https://github.com/jenkinsci/blueocean-plugin", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/blueocean-plugin" }, { "reference_url": "https://github.com/jenkinsci/blueocean-plugin/commit/ffd89b675b172c86613459935fe220dc2bba0c57", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/blueocean-plugin/commit/ffd89b675b172c86613459935fe220dc2bba0c57" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/05/17/8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", "reference_id": "2119647", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", "reference_id": "CVE-2022-30954", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954" }, { "reference_url": "https://github.com/advisories/GHSA-5m4q-x28v-q6wp", "reference_id": "GHSA-5m4q-x28v-q6wp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5m4q-x28v-q6wp" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0017", "reference_id": "RHSA-2023:0017", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0017" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3610", "reference_id": "RHSA-2023:3610", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3610" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3622", "reference_id": "RHSA-2023:3622", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3622" } ], "fixed_packages": [], "aliases": [ "CVE-2022-30954", "GHSA-5m4q-x28v-q6wp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4qvq-xv22-xbed" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16213?format=api", "vulnerability_id": "VCID-5bu5-5b6n-nuft", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nA sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-24422.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-24422.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-24422", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07559", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07636", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07494", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07507", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07582", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07595", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07589", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.0753", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07609", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07508", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07607", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.07548", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-24422" }, { "reference_url": "https://github.com/jenkinsci/script-security-plugin", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/script-security-plugin" }, { "reference_url": "https://github.com/jenkinsci/script-security-plugin/commit/4880bbe905a6783d80150c8b881d0127430d4a73", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/script-security-plugin/commit/4880bbe905a6783d80150c8b881d0127430d4a73" }, { "reference_url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-02T14:29:50Z/" } ], "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278", "reference_id": "2164278", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422", "reference_id": "CVE-2023-24422", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422" }, { "reference_url": "https://github.com/advisories/GHSA-76qj-9gwh-pvv3", "reference_id": "GHSA-76qj-9gwh-pvv3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-76qj-9gwh-pvv3" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1655", "reference_id": "RHSA-2023:1655", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1655" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3195", "reference_id": "RHSA-2023:3195", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3195" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3299", "reference_id": "RHSA-2023:3299", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3299" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3610", "reference_id": "RHSA-2023:3610", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3610" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6171", "reference_id": "RHSA-2023:6171", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6171" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6172", "reference_id": "RHSA-2023:6172", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6172" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6179", "reference_id": "RHSA-2023:6179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6179" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7288", "reference_id": "RHSA-2023:7288", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7288" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0775", "reference_id": "RHSA-2024:0775", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0775" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0776", "reference_id": "RHSA-2024:0776", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0776" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0777", "reference_id": "RHSA-2024:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0778", "reference_id": "RHSA-2024:0778", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0778" } ], "fixed_packages": [], "aliases": [ "CVE-2023-24422", "GHSA-76qj-9gwh-pvv3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5bu5-5b6n-nuft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51996?format=api", "vulnerability_id": "VCID-73th-g3mx-dqf1", "summary": "Stored XSS vulnerability in Jenkins Pipeline: Supporting APIs Plugin\nPipeline: Supporting APIs Plugin provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it.\n\nPipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.\n\nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.\n\nPipeline: Supporting APIs Plugin 839.v35e2736cfd5c properly encodes URLs of these hyperlinks in build logs.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43409.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43409.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43409", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.8872", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.8868", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88701", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88705", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88691", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88698", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88661", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88662", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88685", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88714", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88699", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.04168", "scoring_system": "epss", "scoring_elements": "0.88645", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43409" }, { "reference_url": "https://github.com/jenkinsci/workflow-support-plugin", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/workflow-support-plugin" }, { "reference_url": "https://github.com/jenkinsci/workflow-support-plugin/commit/35e2736cfd5c56799eece176328906d92b6a0dd1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/workflow-support-plugin/commit/35e2736cfd5c56799eece176328906d92b6a0dd1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:24:01Z/" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:24:01Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391", "reference_id": "2136391", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391" }, { "reference_url": "https://github.com/advisories/GHSA-64r9-x74q-wxmh", "reference_id": "GHSA-64r9-x74q-wxmh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-64r9-x74q-wxmh" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "fixed_packages": [], "aliases": [ "CVE-2022-43409", "GHSA-64r9-x74q-wxmh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-73th-g3mx-dqf1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52004?format=api", "vulnerability_id": "VCID-atqg-nfz6-zyfs", "summary": "CSRF protection for any URL can be bypassed in Jenkins Pipeline: Input Step Plugin\nPipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the `input` step. This ID is used for the URLs that process user interactions for the given `input` step (proceed or abort) and is not correctly encoded.\n\nThis allows attackers able to configure Pipelines to have Jenkins build URLs from `input` step IDs that would bypass the CSRF protection of any target URL in Jenkins when the `input` step is interacted with.\n\nPipeline: Input Step Plugin 456.vd8a_957db_5b_e9 limits the characters that can be used for the ID of `input` steps in Pipelines to alphanumeric characters and URL-safe punctuation. Pipelines with `input` steps having IDs with prohibited characters will fail with an error.\n\nThis includes Pipelines that have already been started but not finished before Jenkins is restarted to apply this update.\n\n[Pipeline: Declarative Plugin](https://plugins.jenkins.io/pipeline-model-definition/) provides an `input` directive that is internally using the `input` step, and specifies a non-default ID if not user-defined. Pipeline: Declarative Plugin 2.2114.v2654ca_721309 and earlier may specify values incompatible with this new restriction on legal values: `input` directives in a `stage` use the stage name (which may include prohibited characters) and `input` directives in a `matrix` will use a value generated from the matrix axis values (which always includes prohibited characters). Administrators are advised to update Pipeline: Input Step Plugin and Pipeline: Declarative Plugin at the same time, ideally while no Pipelines are running.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43407.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43407.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43407", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04696", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04483", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0462", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04481", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04493", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04528", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04544", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04534", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.0452", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04502", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04474", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04455", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04662", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43407" }, { "reference_url": "https://github.com/jenkinsci/pipeline-input-step-plugin", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/pipeline-input-step-plugin" }, { "reference_url": "https://github.com/jenkinsci/pipeline-input-step-plugin/commit/d8a957db5be95ddfbf81f41a60b2f034000314b5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/pipeline-input-step-plugin/commit/d8a957db5be95ddfbf81f41a60b2f034000314b5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-08T19:25:07Z/" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-08T19:25:07Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386", "reference_id": "2136386", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386" }, { "reference_url": "https://github.com/advisories/GHSA-g66m-fqxf-3w35", "reference_id": "GHSA-g66m-fqxf-3w35", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g66m-fqxf-3w35" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "fixed_packages": [], "aliases": [ "CVE-2022-43407", "GHSA-g66m-fqxf-3w35" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-atqg-nfz6-zyfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52834?format=api", "vulnerability_id": "VCID-dmkc-42vj-gbhc", "summary": "SnakeYaml Constructor Deserialization Remote Code Execution\n### Summary\nSnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows\nany type be deserialized given the following line:\n\nnew Yaml(new Constructor(TestDataClass.class)).load(yamlContent);\n\nTypes do not have to match the types of properties in the\ntarget class. A `ConstructorException` is thrown, but only after a malicious\npayload is deserialized.\n\n### Severity\nHigh, lack of type checks during deserialization allows remote code execution.\n\n### Proof of Concept\nExecute `bash run.sh`. The PoC uses Constructor to deserialize a payload\nfor RCE. RCE is demonstrated by using a payload which performs a http request to\nhttp://127.0.0.1:8000.\n\nExample output of successful run of proof of concept:\n\n```\n$ bash run.sh\n\n[+] Downloading snakeyaml if needed\n[+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE\nnc: no process found\n[+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.\n[+] An exception is expected.\nException:\nCannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0\n in 'string', line 1, column 1:\n payload: !!javax.script.ScriptEn ... \n ^\nCan not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager\n in 'string', line 1, column 10:\n payload: !!javax.script.ScriptEngineManag ... \n ^\n\n\tat org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)\n\tat org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)\n\tat org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)\n\tat org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)\n\tat org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)\n\tat org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)\n\tat org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)\n\tat org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)\n\tat org.yaml.snakeyaml.Yaml.load(Yaml.java:416)\n\tat Main.main(Main.java:37)\nCaused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager\n\tat java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)\n\tat java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)\n\tat java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)\n\tat java.base/java.lang.reflect.Field.set(Field.java:780)\n\tat org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)\n\tat org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)\n\t... 9 more\n[+] Dumping Received HTTP Request. Will not be empty if PoC worked\nGET /proof-of-concept HTTP/1.1\nUser-Agent: Java/11.0.14\nHost: localhost:8000\nAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\nConnection: keep-alive\n```\n\n### Further Analysis\nPotential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.\n\nSee https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.\n\n### Timeline\n**Date reported**: 4/11/2022\n**Date fixed**: [30/12/2022](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44)\n**Date disclosed**: 10/13/2022", "references": [ { "reference_url": "http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1471.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1471.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1471", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93849", "scoring_system": "epss", "scoring_elements": "0.99866", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.93849", "scoring_system": "epss", "scoring_elements": "0.99867", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.93849", "scoring_system": "epss", "scoring_elements": "0.99868", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.93849", "scoring_system": "epss", "scoring_elements": "0.99865", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.93849", "scoring_system": "epss", "scoring_elements": "0.99864", "published_at": "2026-04-01T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1471" }, { "reference_url": "https://bitbucket.org/snakeyaml/snakeyaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bitbucket.org/snakeyaml/snakeyaml" }, { "reference_url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758" }, { "reference_url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4" }, { "reference_url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479" }, { "reference_url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374" }, { "reference_url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314" }, { "reference_url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471" }, { "reference_url": "https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2" }, { "reference_url": "https://github.com/mbechler/marshalsec", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "https://github.com/mbechler/marshalsec" }, { "reference_url": "https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc" }, { "reference_url": "https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20230818-0015", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20230818-0015" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240621-0006", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "reference_url": "https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471" }, { "reference_url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/11/19/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2023/11/19/1" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", "reference_id": "2150009", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "reference_url": "https://github.com/advisories/GHSA-mjmj-j48q-9wg2", "reference_id": "GHSA-mjmj-j48q-9wg2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mjmj-j48q-9wg2" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20230818-0015/", "reference_id": "ntap-20230818-0015", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20230818-0015/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:9032", "reference_id": "RHSA-2022:9032", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:9032" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:9058", "reference_id": "RHSA-2022:9058", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:9058" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0697", "reference_id": "RHSA-2023:0697", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0697" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0758", "reference_id": "RHSA-2023:0758", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0758" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1006", "reference_id": "RHSA-2023:1006", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1006" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2097", "reference_id": "RHSA-2023:2097", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2097" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:5165", "reference_id": "RHSA-2023:5165", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:5165" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6171", "reference_id": "RHSA-2023:6171", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6171" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7697", "reference_id": "RHSA-2023:7697", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7697" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0325", "reference_id": "RHSA-2024:0325", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0325" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0775", "reference_id": "RHSA-2024:0775", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0775" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1746", "reference_id": "RHSA-2025:1746", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1746" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1747", "reference_id": "RHSA-2025:1747", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1747" } ], "fixed_packages": [], "aliases": [ "CVE-2022-1471", "GHSA-mjmj-j48q-9wg2" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dmkc-42vj-gbhc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57925?format=api", "vulnerability_id": "VCID-j584-bgww-z7fw", "summary": "Command injection in Apache Maven maven-shared-utils\nIn Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29599.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29599.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29599", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00346", "scoring_system": "epss", "scoring_elements": "0.57222", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00346", "scoring_system": "epss", "scoring_elements": "0.57245", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00346", "scoring_system": "epss", "scoring_elements": "0.57273", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.60849", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.60865", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.6086", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.60817", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.6077", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.608", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.60764", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.60813", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.60828", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00402", "scoring_system": "epss", "scoring_elements": "0.60836", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29599" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29599", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29599" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/apache/maven-shared-utils", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/maven-shared-utils" }, { "reference_url": "https://github.com/apache/maven-shared-utils/pull/40", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/maven-shared-utils/pull/40" }, { "reference_url": "https://issues.apache.org/jira/browse/MSHARED-297", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.apache.org/jira/browse/MSHARED-297" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5242", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2022/dsa-5242" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/05/23/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/05/23/3" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012314", "reference_id": "1012314", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012314" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", "reference_id": "2066479", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479" }, { "reference_url": "https://security.archlinux.org/AVG-2736", "reference_id": "AVG-2736", "reference_type": "", "scores": [ { "value": "Critical", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2736" }, { "reference_url": "https://github.com/advisories/GHSA-rhgr-952r-6p8q", "reference_id": "GHSA-rhgr-952r-6p8q", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rhgr-952r-6p8q" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1541", "reference_id": "RHSA-2022:1541", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1541" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1662", "reference_id": "RHSA-2022:1662", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1662" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4699", "reference_id": "RHSA-2022:4699", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4699" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4797", "reference_id": "RHSA-2022:4797", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4797" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4798", "reference_id": "RHSA-2022:4798", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4798" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:9098", "reference_id": "RHSA-2022:9098", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:9098" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0573", "reference_id": "RHSA-2023:0573", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0573" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3610", "reference_id": "RHSA-2023:3610", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3610" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3622", "reference_id": "RHSA-2023:3622", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3622" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6171", "reference_id": "RHSA-2023:6171", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6171" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6172", "reference_id": "RHSA-2023:6172", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6172" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6179", "reference_id": "RHSA-2023:6179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6179" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7288", "reference_id": "RHSA-2023:7288", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7288" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0775", "reference_id": "RHSA-2024:0775", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0775" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0776", "reference_id": "RHSA-2024:0776", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0776" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0777", "reference_id": "RHSA-2024:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0778", "reference_id": "RHSA-2024:0778", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0778" }, { "reference_url": "https://usn.ubuntu.com/6730-1/", "reference_id": "USN-6730-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6730-1/" } ], "fixed_packages": [], "aliases": [ "CVE-2022-29599", "GHSA-rhgr-952r-6p8q" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j584-bgww-z7fw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51949?format=api", "vulnerability_id": "VCID-j986-mtma-b3bw", "summary": "Arbitrary code execution in Apache Commons Text\nApache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html" }, { "reference_url": "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42889.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42889.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.94251", "scoring_system": "epss", "scoring_elements": "0.99931", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.94251", "scoring_system": "epss", "scoring_elements": "0.99932", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.94251", "scoring_system": "epss", "scoring_elements": "0.9993", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42889" }, { "reference_url": "https://arxiv.org/pdf/2306.05534", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://arxiv.org/pdf/2306.05534" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889" }, { "reference_url": "http://seclists.org/fulldisclosure/2023/Feb/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://seclists.org/fulldisclosure/2023/Feb/3" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/apache/commons-text", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/commons-text" }, { "reference_url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889" }, { "reference_url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022" }, { "reference_url": "https://security.gentoo.org/glsa/202301-05", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "https://security.gentoo.org/glsa/202301-05" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20221020-0004", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20221020-0004" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20221020-0004/", "reference_id": "", "reference_type": "", "scores": [ { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20221020-0004/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/13/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/13/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/18/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-24T16:22:10Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/18/1" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021787", "reference_id": "1021787", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021787" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", "reference_id": "2135435", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52261.py", "reference_id": "CVE-2022-42889", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52261.py" }, { "reference_url": "https://github.com/advisories/GHSA-599f-7c49-w659", "reference_id": "GHSA-599f-7c49-w659", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-599f-7c49-w659" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8652", "reference_id": "RHSA-2022:8652", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8652" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8876", "reference_id": "RHSA-2022:8876", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8876" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8902", "reference_id": "RHSA-2022:8902", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8902" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:9023", "reference_id": "RHSA-2022:9023", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:9023" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0261", "reference_id": "RHSA-2023:0261", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0261" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0469", "reference_id": "RHSA-2023:0469", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0469" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1006", "reference_id": "RHSA-2023:1006", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1006" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1524", "reference_id": "RHSA-2023:1524", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1524" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1655", "reference_id": "RHSA-2023:1655", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1655" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2097", "reference_id": "RHSA-2023:2097", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2097" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3195", "reference_id": "RHSA-2023:3195", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3195" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3299", "reference_id": "RHSA-2023:3299", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3299" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6171", "reference_id": "RHSA-2023:6171", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6171" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6172", "reference_id": "RHSA-2023:6172", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6172" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6179", "reference_id": "RHSA-2023:6179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6179" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7288", "reference_id": "RHSA-2023:7288", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7288" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0775", "reference_id": "RHSA-2024:0775", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0775" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0776", "reference_id": "RHSA-2024:0776", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0776" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0777", "reference_id": "RHSA-2024:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0778", "reference_id": "RHSA-2024:0778", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0778" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1746", "reference_id": "RHSA-2025:1746", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1746" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1747", "reference_id": "RHSA-2025:1747", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1747" } ], "fixed_packages": [], "aliases": [ "CVE-2022-42889", "GHSA-599f-7c49-w659" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j986-mtma-b3bw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44862?format=api", "vulnerability_id": "VCID-m3g5-ua28-afd2", "summary": "Origin Validation Error in Apache Maven\nApache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26291.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26291.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26291", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97648", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97649", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97646", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97639", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97617", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97623", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97626", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97625", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97638", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97635", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97633", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.46101", "scoring_system": "epss", "scoring_elements": "0.97631", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-26291" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26291", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26291" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/apache/maven", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/maven" }, { "reference_url": "https://github.com/apache/maven/commit/899465aeec03753ea91e15a79579eab76369c016", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/maven/commit/899465aeec03753ea91e15a79579eab76369c016" }, { "reference_url": "https://github.com/apache/maven/commit/fa79cb22e456cc65522b5bab8c4240fe08c5775f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/maven/commit/fa79cb22e456cc65522b5bab8c4240fe08c5775f" }, { "reference_url": "https://issues.apache.org/jira/browse/MNG-7116", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.apache.org/jira/browse/MNG-7116" }, { "reference_url": "https://issues.apache.org/jira/browse/MNG-7117", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://issues.apache.org/jira/browse/MNG-7117" }, { "reference_url": "https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736@%3Cannounce.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736@%3Cannounce.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c@%3Cdev.maven.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c@%3Cdev.maven.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0@%3Ccommits.druid.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0@%3Ccommits.druid.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e@%3Cjira.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e@%3Cjira.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478@%3Cjira.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478@%3Cjira.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6@%3Cdev.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6@%3Cdev.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52@%3Cjira.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52@%3Cjira.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61@%3Cjira.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61@%3Cjira.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381@%3Cdev.jena.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381@%3Cdev.jena.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a@%3Ccommits.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a@%3Ccommits.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5@%3Cdev.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5@%3Cdev.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40@%3Cjira.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40@%3Cjira.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002@%3Ccommits.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002@%3Ccommits.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288@%3Cjira.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288@%3Cjira.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00@%3Cusers.maven.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00@%3Cusers.maven.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457@%3Cdev.jena.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457@%3Cdev.jena.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b@%3Ccommits.druid.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b@%3Ccommits.druid.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a@%3Ccommits.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a@%3Ccommits.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac@%3Cdev.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac@%3Cdev.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b@%3Ccommits.druid.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b@%3Ccommits.druid.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265@%3Cdev.kafka.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265@%3Cdev.kafka.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E" }, { "reference_url": "https://maven.apache.org/docs/3.8.1/release-notes.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://maven.apache.org/docs/3.8.1/release-notes.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "reference_url": "https://www.oracle.com/security-alerts/cpujul2022.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "reference_url": "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291" }, { "reference_url": "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/04/23/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2021/04/23/5" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739", "reference_id": "1955739", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988155", "reference_id": "988155", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988155" }, { "reference_url": "https://security.archlinux.org/AVG-1863", "reference_id": "AVG-1863", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1863" }, { "reference_url": "https://github.com/advisories/GHSA-2f88-5hg8-9x2x", "reference_id": "GHSA-2f88-5hg8-9x2x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2f88-5hg8-9x2x" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3880", "reference_id": "RHSA-2021:3880", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3880" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1013", "reference_id": "RHSA-2022:1013", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1013" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1029", "reference_id": "RHSA-2022:1029", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1029" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1334", "reference_id": "RHSA-2023:1334", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1334" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0776", "reference_id": "RHSA-2024:0776", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0776" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0778", "reference_id": "RHSA-2024:0778", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0778" }, { "reference_url": "https://usn.ubuntu.com/5805-1/", "reference_id": "USN-5805-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5805-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-5245-1/", "reference_id": "USN-USN-5245-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5245-1/" } ], "fixed_packages": [], "aliases": [ "CVE-2021-26291", "GHSA-2f88-5hg8-9x2x" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m3g5-ua28-afd2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53284?format=api", "vulnerability_id": "VCID-mm3e-4pej-byed", "summary": "Uncontrolled Resource Consumption in snakeyaml\nThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25857.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25857.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25857", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75247", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75185", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75244", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75206", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75216", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.7521", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75132", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75162", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75139", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75173", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00869", "scoring_system": "epss", "scoring_elements": "0.75207", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25857" }, { "reference_url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174" }, { "reference_url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/jruby/jruby/issues/7342", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "https://github.com/jruby/jruby/issues/7342" }, { "reference_url": "https://github.com/snakeyaml/snakeyaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/snakeyaml/snakeyaml" }, { "reference_url": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240315-0010", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240315-0010" }, { "reference_url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019218", "reference_id": "1019218", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019218" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", "reference_id": "2126789", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "reference_url": "https://github.com/advisories/GHSA-3mc7-4q67-w48m", "reference_id": "GHSA-3mc7-4q67-w48m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3mc7-4q67-w48m" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6757", "reference_id": "RHSA-2022:6757", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6757" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6820", "reference_id": "RHSA-2022:6820", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6820" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6821", "reference_id": "RHSA-2022:6821", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6821" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6822", "reference_id": "RHSA-2022:6822", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6822" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6823", "reference_id": "RHSA-2022:6823", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6823" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6825", "reference_id": "RHSA-2022:6825", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6825" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6835", "reference_id": "RHSA-2022:6835", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6835" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6941", "reference_id": "RHSA-2022:6941", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6941" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8524", "reference_id": "RHSA-2022:8524", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8524" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8652", "reference_id": "RHSA-2022:8652", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8652" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8876", "reference_id": "RHSA-2022:8876", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8876" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2097", "reference_id": "RHSA-2023:2097", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2097" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2100", "reference_id": "RHSA-2023:2100", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2100" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3641", "reference_id": "RHSA-2023:3641", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3641" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:4983", "reference_id": "RHSA-2023:4983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:4983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6172", "reference_id": "RHSA-2023:6172", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6172" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6179", "reference_id": "RHSA-2023:6179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6179" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7288", "reference_id": "RHSA-2023:7288", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7288" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7697", "reference_id": "RHSA-2023:7697", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7697" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0776", "reference_id": "RHSA-2024:0776", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0776" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0777", "reference_id": "RHSA-2024:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0778", "reference_id": "RHSA-2024:0778", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0778" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:4437", "reference_id": "RHSA-2025:4437", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:4437" }, { "reference_url": "https://usn.ubuntu.com/5944-1/", "reference_id": "USN-5944-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5944-1/" } ], "fixed_packages": [], "aliases": [ "CVE-2022-25857", "GHSA-3mc7-4q67-w48m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mm3e-4pej-byed" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51787?format=api", "vulnerability_id": "VCID-n5vc-ggjg-kfc1", "summary": "Jenkins Script Security Plugin sandbox bypass vulnerability\nA sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43403.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43403.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43403", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51679", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51687", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51683", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51732", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.5171", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51693", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51734", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51741", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51721", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51673", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51647", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51672", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00283", "scoring_system": "epss", "scoring_elements": "0.51632", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43403" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)" }, { "reference_url": "https://www.secpod.com/blog/oracle-releases-critical-security-updates-january-2023-patch-now", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.secpod.com/blog/oracle-releases-critical-security-updates-january-2023-patch-now" }, { "reference_url": "https://www.secpod.com/blog/oracle-releases-critical-security-updates-january-2023-patch-now/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.secpod.com/blog/oracle-releases-critical-security-updates-january-2023-patch-now/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382", "reference_id": "2136382", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382" }, { "reference_url": "https://github.com/advisories/GHSA-f6mq-6fx5-w2ch", "reference_id": "GHSA-f6mq-6fx5-w2ch", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f6mq-6fx5-w2ch" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "fixed_packages": [], "aliases": [ "CVE-2022-43403", "GHSA-f6mq-6fx5-w2ch" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n5vc-ggjg-kfc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53506?format=api", "vulnerability_id": "VCID-netd-rr9e-wbg5", "summary": "Unsafe deserialization in Apache MINA SSHD\nClass org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.\n\nUntil version 2.1.0, the code affected by this vulnerability appeared in `org.apache.sshd:sshd-core`. Version 2.1.0 contains a [commit](https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0) where the code was moved to the package `org.apache.sshd:sshd-common`, which did not exist until version 2.1.0.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-45047.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-45047.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-45047", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05083", "scoring_system": "epss", "scoring_elements": "0.89829", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.05083", "scoring_system": "epss", "scoring_elements": "0.89814", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.05083", "scoring_system": "epss", "scoring_elements": "0.8982", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.05083", "scoring_system": "epss", "scoring_elements": "0.89806", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.05083", "scoring_system": "epss", "scoring_elements": "0.89813", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.05083", "scoring_system": "epss", "scoring_elements": "0.89809", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.05083", "scoring_system": "epss", "scoring_elements": "0.89802", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.05083", "scoring_system": "epss", "scoring_elements": "0.89785", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.05083", "scoring_system": "epss", "scoring_elements": "0.89815", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.05378", "scoring_system": "epss", "scoring_elements": "0.90064", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.05378", "scoring_system": "epss", "scoring_elements": "0.90075", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.05705", "scoring_system": "epss", "scoring_elements": "0.90444", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-45047" }, { "reference_url": "https://github.com/apache/mina-sshd", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/mina-sshd" }, { "reference_url": "https://github.com/apache/mina-sshd/commit/03238d51586f6b3c0bdbb1a23cf16799344d6c32", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/mina-sshd/commit/03238d51586f6b3c0bdbb1a23cf16799344d6c32" }, { "reference_url": "https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0" }, { "reference_url": "https://github.com/apache/mina-sshd/commit/5a8fe830b2a2308a2b24ac8115a391af477f64f5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/mina-sshd/commit/5a8fe830b2a2308a2b24ac8115a391af477f64f5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "reference_url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", "reference_id": "2145194", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "reference_url": "https://github.com/advisories/GHSA-fhw8-8j55-vwgq", "reference_id": "GHSA-fhw8-8j55-vwgq", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fhw8-8j55-vwgq" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8957", "reference_id": "RHSA-2022:8957", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8957" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0074", "reference_id": "RHSA-2023:0074", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0074" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0552", "reference_id": "RHSA-2023:0552", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0552" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0553", "reference_id": "RHSA-2023:0553", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0553" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0554", "reference_id": "RHSA-2023:0554", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0554" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0556", "reference_id": "RHSA-2023:0556", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0556" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0713", "reference_id": "RHSA-2023:0713", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0713" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0758", "reference_id": "RHSA-2023:0758", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0758" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3641", "reference_id": "RHSA-2023:3641", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3641" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:4983", "reference_id": "RHSA-2023:4983", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:4983" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1746", "reference_id": "RHSA-2025:1746", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1746" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1747", "reference_id": "RHSA-2025:1747", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1747" } ], "fixed_packages": [], "aliases": [ "CVE-2022-45047", "GHSA-fhw8-8j55-vwgq" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-netd-rr9e-wbg5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51812?format=api", "vulnerability_id": "VCID-pnge-tumu-v7e2", "summary": "Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin\nScript Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.\n\nMultiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin:\n\n- In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).\n- In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403).\n- In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the [2020-03-09 security advisory](https://www.jenkins.io/security/advisory/2020-03-09/#SECURITY-1754)) (CVE-2022-43404).\n\nThese vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.\n\nThese vulnerabilities have been fixed:\n\n- Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).\n- Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403).\n- Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404).\n\nBoth plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43404.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43404.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43404", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35167", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35513", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.3547", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35447", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35487", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35477", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35425", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.3519", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35525", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.3555", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35432", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35478", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00149", "scoring_system": "epss", "scoring_elements": "0.35503", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43404" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383", "reference_id": "2136383", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383" }, { "reference_url": "https://github.com/advisories/GHSA-27rf-8mjp-r363", "reference_id": "GHSA-27rf-8mjp-r363", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-27rf-8mjp-r363" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "fixed_packages": [], "aliases": [ "CVE-2022-43404", "GHSA-27rf-8mjp-r363" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "8.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pnge-tumu-v7e2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16481?format=api", "vulnerability_id": "VCID-quvj-3tpk-qug1", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nJenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25761.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25761.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25761", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82618", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82521", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82517", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82543", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82551", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82569", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82562", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82557", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82593", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82597", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82503", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0175", "scoring_system": "epss", "scoring_elements": "0.82628", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25761" }, { "reference_url": "https://github.com/jenkinsci/junit-plugin/commit/d6b8042a06de4aaaf0942ad79036095b853eea02", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/junit-plugin/commit/d6b8042a06de4aaaf0942ad79036095b853eea02" }, { "reference_url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-19T15:36:40Z/" } ], "url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/02/15/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-19T15:36:40Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2023/02/15/4" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039", "reference_id": "2170039", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761", "reference_id": "CVE-2023-25761", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761" }, { "reference_url": "https://github.com/advisories/GHSA-ph74-8rgx-64c5", "reference_id": "GHSA-ph74-8rgx-64c5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-ph74-8rgx-64c5" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1866", "reference_id": "RHSA-2023:1866", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1866" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3195", "reference_id": "RHSA-2023:3195", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3195" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3299", "reference_id": "RHSA-2023:3299", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3299" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6171", "reference_id": "RHSA-2023:6171", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6171" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6172", "reference_id": "RHSA-2023:6172", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6172" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6179", "reference_id": "RHSA-2023:6179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6179" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7288", "reference_id": "RHSA-2023:7288", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7288" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0775", "reference_id": "RHSA-2024:0775", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0775" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0776", "reference_id": "RHSA-2024:0776", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0776" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0777", "reference_id": "RHSA-2024:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0778", "reference_id": "RHSA-2024:0778", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0778" } ], "fixed_packages": [], "aliases": [ "CVE-2023-25761", "GHSA-ph74-8rgx-64c5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-quvj-3tpk-qug1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51755?format=api", "vulnerability_id": "VCID-rxtr-936k-h3cc", "summary": "Jenkins Pipeline: Stage View Plugin allows CSRF protection bypass of any target URL in Jenkins\nJenkins Pipeline: Stage View Plugin provides a visualization of Pipeline builds. It also allows users to interact with `input` steps from Pipeline: Input Step Plugin.\n\nPipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of `input` steps when using it to generate URLs to proceed or abort Pipeline builds.\n\nThis allows attackers able to configure Pipelines to specify `input` step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.\n\nPipeline: Stage View Plugin 2.27 correctly encodes the ID of `input` steps when using it to generate URLs to proceed or abort Pipeline builds.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43408.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43408.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43408", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03395", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03284", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.0341", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03294", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03359", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03374", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03378", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03399", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03357", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03328", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03307", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03347", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43408" }, { "reference_url": "https://github.com/jenkinsci/pipeline-stage-view-plugin/commit/cee275109ee748fa9f599ec60159807a28a2933f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/pipeline-stage-view-plugin/commit/cee275109ee748fa9f599ec60159807a28a2933f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:24:25Z/" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:24:25Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388", "reference_id": "2136388", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388" }, { "reference_url": "https://github.com/advisories/GHSA-g975-f26h-93g8", "reference_id": "GHSA-g975-f26h-93g8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g975-f26h-93g8" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "fixed_packages": [], "aliases": [ "CVE-2022-43408", "GHSA-g975-f26h-93g8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rxtr-936k-h3cc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51876?format=api", "vulnerability_id": "VCID-s839-rpta-6bej", "summary": "Jenkins Pipeline: Groovy Plugin allows sandbox protection bypass and arbitrary code execution\nA sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercepts Groovy casts performed implicitly by the Groovy language runtime", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43402.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43402.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43402", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25509", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25705", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25664", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25607", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25609", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25593", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25564", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25517", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25763", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25805", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25576", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25648", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25695", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43402" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379", "reference_id": "2136379", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379" }, { "reference_url": "https://github.com/advisories/GHSA-mqc2-w9r8-mmxm", "reference_id": "GHSA-mqc2-w9r8-mmxm", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mqc2-w9r8-mmxm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "fixed_packages": [], "aliases": [ "CVE-2022-43402", "GHSA-mqc2-w9r8-mmxm" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s839-rpta-6bej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51687?format=api", "vulnerability_id": "VCID-tx8n-nmhx-gqg1", "summary": "Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin\nScript Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.\n\nMultiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin:\n\n- In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).\n- In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403).\n- In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the [2020-03-09 security advisory](https://www.jenkins.io/security/advisory/2020-03-09/#SECURITY-1754)) (CVE-2022-43404).\n\nThese vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.\\n\\nThese vulnerabilities have been fixed:\n\n- Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).\n- Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403).\n- Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404).\n\nBoth plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43401.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43401.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43401", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.39872", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40175", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40137", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40118", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40168", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40139", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40059", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.39888", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40152", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40178", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.401", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40165", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381", "reference_id": "2136381", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381" }, { "reference_url": "https://github.com/advisories/GHSA-7vr5-72w7-q6jc", "reference_id": "GHSA-7vr5-72w7-q6jc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7vr5-72w7-q6jc" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "fixed_packages": [], "aliases": [ "CVE-2022-43401", "GHSA-7vr5-72w7-q6jc" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "8.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tx8n-nmhx-gqg1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57525?format=api", "vulnerability_id": "VCID-xq5k-dyk9-u3ct", "summary": "Cross Site Request Forgery in Jenkins Blue Ocean Plugin\nA cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. Blue Ocean Plugin 1.25.4 requires POST requests and the appropriate permissions for the affected HTTP endpoints.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30953.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30953.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-30953", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.24093", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00081", "scoring_system": "epss", "scoring_elements": "0.24133", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.2875", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.288", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.28824", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.28803", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.28782", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.28897", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.28891", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.2885", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.28853", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.28525", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.28638", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-30953" }, { "reference_url": "https://github.com/jenkinsci/blueocean-plugin", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/blueocean-plugin" }, { "reference_url": "https://github.com/jenkinsci/blueocean-plugin/commit/9f44b895d018c514d5dccc1f2190a2a029e58259", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/blueocean-plugin/commit/9f44b895d018c514d5dccc1f2190a2a029e58259" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/05/17/8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", "reference_id": "2119646", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646" }, { "reference_url": "https://github.com/advisories/GHSA-hgpq-42pf-9vfq", "reference_id": "GHSA-hgpq-42pf-9vfq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hgpq-42pf-9vfq" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0017", "reference_id": "RHSA-2023:0017", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0017" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3610", "reference_id": "RHSA-2023:3610", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3610" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3622", "reference_id": "RHSA-2023:3622", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3622" } ], "fixed_packages": [], "aliases": [ "CVE-2022-30953", "GHSA-hgpq-42pf-9vfq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xq5k-dyk9-u3ct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16483?format=api", "vulnerability_id": "VCID-zxcj-h6nx-m7gq", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nJenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25762.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25762.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25762", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98497", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98474", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98477", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98478", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98482", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98483", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98486", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98485", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98492", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.6532", "scoring_system": "epss", "scoring_elements": "0.98493", "published_at": "2026-04-21T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25762" }, { "reference_url": "https://github.com/jenkinsci/pipeline-build-step-plugin", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/pipeline-build-step-plugin" }, { "reference_url": "https://github.com/jenkinsci/pipeline-build-step-plugin/commit/0eaf88a695244ddb69d16c11b96659167dbead92", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jenkinsci/pipeline-build-step-plugin/commit/0eaf88a695244ddb69d16c11b96659167dbead92" }, { "reference_url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-19T18:48:31Z/" } ], "url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/02/15/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-19T18:48:31Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2023/02/15/4" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041", "reference_id": "2170041", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762", "reference_id": "CVE-2023-25762", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762" }, { "reference_url": "https://github.com/advisories/GHSA-9j65-3f2q-8q2r", "reference_id": "GHSA-9j65-3f2q-8q2r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9j65-3f2q-8q2r" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1866", "reference_id": "RHSA-2023:1866", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1866" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3195", "reference_id": "RHSA-2023:3195", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3195" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3299", "reference_id": "RHSA-2023:3299", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3299" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6171", "reference_id": "RHSA-2023:6171", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6171" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6172", "reference_id": "RHSA-2023:6172", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6172" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6179", "reference_id": "RHSA-2023:6179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6179" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7288", "reference_id": "RHSA-2023:7288", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7288" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0775", "reference_id": "RHSA-2024:0775", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0775" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0776", "reference_id": "RHSA-2024:0776", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0776" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0777", "reference_id": "RHSA-2024:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0778", "reference_id": "RHSA-2024:0778", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0778" } ], "fixed_packages": [], "aliases": [ "CVE-2023-25762", "GHSA-9j65-3f2q-8q2r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zxcj-h6nx-m7gq" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1%3Farch=el8" }