Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/jenkins-2-plugins@4.13.1684911916-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.13.1684911916-1?arch=el8
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 10.0
Vulnerabilities affecting this package (7)
Vulnerability Summary Fixed by
VCID-5bu5-5b6n-nuft
Aliases:
CVE-2023-24422
GHSA-76qj-9gwh-pvv3
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. There are no reported fixed by versions.
VCID-j986-mtma-b3bw
Aliases:
CVE-2022-42889
GHSA-599f-7c49-w659
Arbitrary code execution in Apache Commons Text Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. There are no reported fixed by versions.
VCID-nfjb-tkzv-fudg
Aliases:
CVE-2022-25647
GHSA-4jrv-ppp4-jm57
The package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. There are no reported fixed by versions.
VCID-pwtj-az3g-zka3
Aliases:
CVE-2020-7692
GHSA-f263-c949-w85g
Improper Authorization in Google OAuth Client PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0. There are no reported fixed by versions.
VCID-quvj-3tpk-qug1
Aliases:
CVE-2023-25761
GHSA-ph74-8rgx-64c5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin. There are no reported fixed by versions.
VCID-wj5y-g7z1-9qam
Aliases:
CVE-2021-4178
GHSA-98g7-rxmf-rrxm
GMS-2022-2960
fabric8 kubernetes-client vulnerable fabric8 Kubernetes client had an arbitrary code execution flaw in versions 5.0.0-beta-1 and higher. Attackers could potentially insert malicious YAMLs due to misconfigured YAML parsing. There are no reported fixed by versions.
VCID-zxcj-h6nx-m7gq
Aliases:
CVE-2023-25762
GHSA-9j65-3f2q-8q2r
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T14:05:56.363421+00:00 RedHat Importer Affected by VCID-pwtj-az3g-zka3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-7692.json 38.0.0
2026-04-01T14:00:35.890306+00:00 RedHat Importer Affected by VCID-wj5y-g7z1-9qam https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-4178.json 38.0.0
2026-04-01T13:58:46.763250+00:00 RedHat Importer Affected by VCID-nfjb-tkzv-fudg https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25647.json 38.0.0
2026-04-01T13:56:43.387860+00:00 RedHat Importer Affected by VCID-j986-mtma-b3bw https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42889.json 38.0.0
2026-04-01T13:55:39.091838+00:00 RedHat Importer Affected by VCID-5bu5-5b6n-nuft https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-24422.json 38.0.0
2026-04-01T13:55:18.533861+00:00 RedHat Importer Affected by VCID-zxcj-h6nx-m7gq https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25762.json 38.0.0
2026-04-01T13:55:18.185661+00:00 RedHat Importer Affected by VCID-quvj-3tpk-qug1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25761.json 38.0.0