VulnerableCode Package Details - pkg:rpm/redhat/jenkins-2-plugins@4.13.1706516346-1?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-5bu5-5b6n-nuft Aliases: CVE-2023-24422 GHSA-76qj-9gwh-pvv3	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.	There are no reported fixed by versions.
VCID-955x-hg4a-5kc3 Aliases: CVE-2023-37946 GHSA-rwg5-2pv9-633w	Session Fixation Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login.	There are no reported fixed by versions.
VCID-j584-bgww-z7fw Aliases: CVE-2022-29599 GHSA-rhgr-952r-6p8q	Command injection in Apache Maven maven-shared-utils In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.	There are no reported fixed by versions.
VCID-j986-mtma-b3bw Aliases: CVE-2022-42889 GHSA-599f-7c49-w659	Arbitrary code execution in Apache Commons Text Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.	There are no reported fixed by versions.
VCID-m3g5-ua28-afd2 Aliases: CVE-2021-26291 GHSA-2f88-5hg8-9x2x	Origin Validation Error in Apache Maven Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html	There are no reported fixed by versions.
VCID-mm3e-4pej-byed Aliases: CVE-2022-25857 GHSA-3mc7-4q67-w48m	Uncontrolled Resource Consumption in snakeyaml The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.	There are no reported fixed by versions.
VCID-quvj-3tpk-qug1 Aliases: CVE-2023-25761 GHSA-ph74-8rgx-64c5	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.	There are no reported fixed by versions.
VCID-zxcj-h6nx-m7gq Aliases: CVE-2023-25762 GHSA-9j65-3f2q-8q2r	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-5bu5-5b6n-nuft
Aliases:
CVE-2023-24422
GHSA-76qj-9gwh-pvv3

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.