Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/jenkins-2-plugins@4.12.1740464689-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.12.1740464689-1?arch=el8
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-fcg2-x3s5-wudk
Aliases:
CVE-2024-47072
GHSA-hfq9-hggm-c56q
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. ### Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html). ### Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it. There are no reported fixed by versions.
VCID-g6p1-25m8-hyak
Aliases:
CVE-2024-47855
GHSA-wwcp-26wc-3fxm
JSON-lib mishandles an unbalanced comment string util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string. There are no reported fixed by versions.
VCID-napj-3e58-nqav
Aliases:
CVE-2024-52550
GHSA-mrpr-vr82-x88r
Rebuilding a run with revoked script approval allowed by Jenkins Pipeline: Groovy Plugin Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. This allows attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. Pipeline: Groovy Plugin 3993.v3e20a_37282f8 refuses to rebuild a build whose main (Jenkinsfile) script is unapproved. There are no reported fixed by versions.
VCID-pgad-nzjx-kkb5
Aliases:
CVE-2024-45339
GHSA-6wxm-mpqj-6jpf
Insecure Temporary File usage in github.com/golang/glog When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists. There are no reported fixed by versions.
VCID-rx46-cr1m-uuge
Aliases:
CVE-2024-52549
GHSA-jv82-75fh-23r7
Missing permission check in Jenkins Script Security Plugin Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system. This allows attackers with Overall/Read permission to check for the existence of files on the controller file system. Script Security Plugin 1368.vb_b_402e3547e7 requires Overall/Administer permission for the affected form validation method. There are no reported fixed by versions.
VCID-ufjq-w47y-3qeq
Aliases:
CVE-2024-52551
GHSA-p2qq-c693-q53w
Restarting a run with revoked script approval allowed by Jenkins Pipeline: Declarative Plugin Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved. This allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved. Pipeline: Declarative Plugin 2.2218.v56d0cda_37c72 refuses to restart a build whose main (Jenkinsfile) script is unapproved. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T13:44:50.255318+00:00 RedHat Importer Affected by VCID-g6p1-25m8-hyak https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47855.json 38.0.0
2026-04-01T13:44:07.837459+00:00 RedHat Importer Affected by VCID-fcg2-x3s5-wudk https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47072.json 38.0.0
2026-04-01T13:44:02.084695+00:00 RedHat Importer Affected by VCID-napj-3e58-nqav https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52550.json 38.0.0
2026-04-01T13:44:01.826897+00:00 RedHat Importer Affected by VCID-rx46-cr1m-uuge https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52549.json 38.0.0
2026-04-01T13:44:01.547638+00:00 RedHat Importer Affected by VCID-ufjq-w47y-3qeq https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52551.json 38.0.0
2026-04-01T13:43:01.902881+00:00 RedHat Importer Affected by VCID-pgad-nzjx-kkb5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45339.json 38.0.0