Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/golang-github-openshift-oauth-proxy@3.11.170-1.git.1.b49be83?arch=el7
purl pkg:rpm/redhat/golang-github-openshift-oauth-proxy@3.11.170-1.git.1.b49be83?arch=el7
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 10.0
Vulnerabilities affecting this package (8)
Vulnerability Summary Fixed by
VCID-3s9f-prpy-hbcx
Aliases:
CVE-2019-11358
GHSA-6c3j-c64m-qhgq
Cross-site Scripting The jQuery library, which is included in rdoc, mishandles `jQuery.extend(true, {}, ...)` because of Object.prototype pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype.` There are no reported fixed by versions.
VCID-at4v-19pn-wqf2
Aliases:
CVE-2020-2105
GHSA-7xp8-7wqx-5hqx
Jenkins REST APIs vulnerable to clickjacking Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the `X-Frame-Options: deny` HTTP header on REST API responses to protect against clickjacking attacks. An attacker could exploit this by routing the victim through a specially crafted web page that embeds a REST API endpoint in an iframe and tricking the user into performing an action which would allow for the attacker to learn the content of that REST API endpoint. Jenkins 2.219, LTS 2.204.2 now adds the `X-Frame-Options: deny` HTTP header to REST API responses, which prevents these types of clickjacking attacks. There are no reported fixed by versions.
VCID-kvq9-4uqu-pfah
Aliases:
CVE-2020-2100
GHSA-gpxv-776p-7gc7
Jenkins vulnerable to UDP amplification reflection attack Jenkins 2.218 and earlier, LTS 2.204.1 and earlier supports two network discovery services (UDP multicast/broadcast and DNS multicast) by default. The UDP multicast/broadcast service can be used in an amplification reflection attack, as very few bytes sent to the respective endpoint result in much larger responses: A single byte request to this service would respond with more than 100 bytes of Jenkins metadata which could be used in a DDoS attack on a Jenkins controller. Within the same network, spoofed UDP packets could also be sent to make two Jenkins controllers go into an infinite loop of replies to one another, thus causing a denial of service. Jenkins 2.219, LTS 2.204.2 now disables both UDP multicast/broadcast and DNS multicast by default. Administrators that need these features can re-enable them again by setting the system property `hudson.DNSMultiCast.disabled` to `false` (for DNS multicast) or the system property `hudson.udp` to `33848`, or another port (for UDP broadcast/multicast). These are the same system properties that controlled whether these features were enabled in the past, so any instances explicitly enabling these features by setting these system properties will continue to have them enabled. There are no reported fixed by versions.
VCID-qg4r-a3xt-kfbh
Aliases:
CVE-2020-2104
GHSA-r78q-qgx6-64pp
Memory usage graphs accessible to anyone with Overall/Read Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins controller. Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier requires no permissions beyond the general Overall/Read, allowing users who are not administrators to view JVM memory usage data. Jenkins 2.219, LTS 2.204.2 now requires Overall/Administer permissions to view the JVM memory usage chart. There are no reported fixed by versions.
VCID-s9rq-3bpy-83fu
Aliases:
CVE-2020-2102
GHSA-fj6f-6933-839j
Non-constant time HMAC comparison Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison when checking whether two HMACs are equal. This could potentially allow attackers to use statistical methods to obtain a valid HMAC for an attacker-controlled input value. Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison when validating HMACs. There are no reported fixed by versions.
VCID-sejb-9wh7-k7c4
Aliases:
CVE-2020-2103
GHSA-4jjj-cm7q-v6hr
Jenkins Diagnostic page exposed session cookies Jenkins shows various technical details about the current user on the `/whoAmI` page. In [a previous fix](https://www.jenkins.io/security/advisory/2019-09-25/#SECURITY-1505), the `Cookie` header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier. This allows attackers able to exploit a cross-site scripting vulnerability to obtain the HTTP session ID value from this page. Jenkins 2.219, LTS 2.204.2 no longer prints out the affected user metadata that might contain the HTTP session ID. Additionally, we also redact values of further authentication-related HTTP headers in addition to `Cookie` on this page as a hardening. There are no reported fixed by versions.
VCID-t8f3-q2yk-gqfk
Aliases:
CVE-2020-2101
GHSA-w7jr-wqw6-54xc
Non-constant time comparison of inbound TCP agent connection secret Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret. Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets. There are no reported fixed by versions.
VCID-urd7-cve7-dqdk
Aliases:
CVE-2020-2099
GHSA-qp4f-2w67-c8hw
Inbound TCP Agent Protocol/3 authentication bypass in Jenkins Jenkins 2.213 and earlier, LTS 2.204.1 and earlier includes support for the Inbound TCP Agent Protocol/3 for communication between controller and agents. While [this protocol has been deprecated in 2018](https://www.jenkins.io/changelog-old/#v2.128) and was recently removed from Jenkins in 2.214, it could still easily be enabled in Jenkins LTS 2.204.1, 2.213, and older. This protocol incorrectly reuses encryption parameters which allow an unauthenticated remote attacker to determine the connection secret. This secret can then be used to connect attacker-controlled Jenkins agents to the Jenkins controller. Jenkins 2.204.2 no longer allows for the use of Inbound TCP Agent Protocol/3 by default. The system property `jenkins.slaves.JnlpSlaveAgentProtocol3.ALLOW_UNSAFE` can be set to `true` to allow enabling the Inbound TCP Agent Protocol/3 in Jenkins 2.204.2, but doing so is strongly discouraged. Inbound TCP Agent Protocol/3 was removed completely from Jenkins 2.214 and will not be part of Jenkins LTS after the end of the 2.204.x line. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T14:20:41.871801+00:00 RedHat Importer Affected by VCID-3s9f-prpy-hbcx https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-11358.json 38.0.0
2026-04-01T14:13:02.341564+00:00 RedHat Importer Affected by VCID-kvq9-4uqu-pfah https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2100.json 38.0.0
2026-04-01T14:13:01.976523+00:00 RedHat Importer Affected by VCID-t8f3-q2yk-gqfk https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2101.json 38.0.0
2026-04-01T14:13:01.649559+00:00 RedHat Importer Affected by VCID-urd7-cve7-dqdk https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2099.json 38.0.0
2026-04-01T14:13:01.323031+00:00 RedHat Importer Affected by VCID-s9rq-3bpy-83fu https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2102.json 38.0.0
2026-04-01T14:13:00.985692+00:00 RedHat Importer Affected by VCID-at4v-19pn-wqf2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2105.json 38.0.0
2026-04-01T14:13:00.649002+00:00 RedHat Importer Affected by VCID-qg4r-a3xt-kfbh https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2104.json 38.0.0
2026-04-01T14:13:00.317384+00:00 RedHat Importer Affected by VCID-sejb-9wh7-k7c4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2103.json 38.0.0