Search for packages
| purl | pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1?arch=el8 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1bh8-3gb1-4ben
Aliases: CVE-2024-38808 GHSA-9cmq-m9j5-mvww |
Spring Framework vulnerable to Denial of Service In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Older, unsupported versions are also affected. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions. | There are no reported fixed by versions. |
|
VCID-jarz-xtnw-ufbz
Aliases: CVE-2024-47803 GHSA-pj95-ph4q-4qm4 |
Jenkins exposes multi-line secrets through error messages Jenkins Jenkins provides the `secretTextarea` form field for multi-line secrets. Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field. This can result in exposure of multi-line secrets through those error messages, e.g., in the system log. Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field. | There are no reported fixed by versions. |
|
VCID-mkf8-a5k3-83fs
Aliases: CVE-2021-44549 GHSA-c69w-jj56-834w |
Improper Certificate Validation Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429 | There are no reported fixed by versions. |
|
VCID-qnbx-c635-hqer
Aliases: CVE-2024-34144 GHSA-v63g-v339-2673 |
Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed. Multiple sandbox bypass vulnerabilities exist in Script Security Plugin 1335.vf07d9ce377a_e and earlier: - Crafted constructor bodies that invoke other constructors can be used to construct any subclassable type via implicit casts. - Sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type. These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. - These issues are caused by an incomplete fix of [SECURITY-2824](https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)). Script Security Plugin 1336.vf33a_a_9863911 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox: - Calls to to other constructors using this are now intercepted by the sandbox. - Classes in packages that can be shadowed by Groovy-defined classes are no longer ignored by the sandbox when intercepting super constructor calls. | There are no reported fixed by versions. |
|
VCID-vpxs-mxz3-xqch
Aliases: CVE-2024-47804 GHSA-f9qj-77q2-h5c5 |
Jenkins item creation restriction bypass vulnerability Jenkins provides APIs for fine-grained control of item creation: - Authorization strategies can prohibit the creation of items of a given type in a given item group (`ACL#hasCreatePermission2`). - Item types can prohibit creation of new instances in a given item group (`TopLevelItemDescriptor#isApplicableIn(ItemGroup)`). If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk. This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it. If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T13:51:15.701544+00:00 | RedHat Importer | Affected by | VCID-mkf8-a5k3-83fs | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44549.json | 38.0.0 |
| 2026-04-01T13:47:54.868026+00:00 | RedHat Importer | Affected by | VCID-qnbx-c635-hqer | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json | 38.0.0 |
| 2026-04-01T13:45:39.908168+00:00 | RedHat Importer | Affected by | VCID-1bh8-3gb1-4ben | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38808.json | 38.0.0 |
| 2026-04-01T13:44:51.796831+00:00 | RedHat Importer | Affected by | VCID-jarz-xtnw-ufbz | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47803.json | 38.0.0 |
| 2026-04-01T13:44:51.615472+00:00 | RedHat Importer | Affected by | VCID-vpxs-mxz3-xqch | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47804.json | 38.0.0 |