VulnerableCode Package Details - pkg:rpm/redhat/jenkins-2-plugins@4.15.1729838165-1?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-1bh8-3gb1-4ben Aliases: CVE-2024-38808 GHSA-9cmq-m9j5-mvww	Spring Framework vulnerable to Denial of Service In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Older, unsupported versions are also affected. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.	There are no reported fixed by versions.
VCID-jarz-xtnw-ufbz Aliases: CVE-2024-47803 GHSA-pj95-ph4q-4qm4	Jenkins exposes multi-line secrets through error messages Jenkins Jenkins provides the `secretTextarea` form field for multi-line secrets. Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field. This can result in exposure of multi-line secrets through those error messages, e.g., in the system log. Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.	There are no reported fixed by versions.
VCID-mkf8-a5k3-83fs Aliases: CVE-2021-44549 GHSA-c69w-jj56-834w	Improper Certificate Validation Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429	There are no reported fixed by versions.
VCID-vpxs-mxz3-xqch Aliases: CVE-2024-47804 GHSA-f9qj-77q2-h5c5	Jenkins item creation restriction bypass vulnerability Jenkins provides APIs for fine-grained control of item creation: - Authorization strategies can prohibit the creation of items of a given type in a given item group (`ACL#hasCreatePermission2`). - Item types can prohibit creation of new instances in a given item group (`TopLevelItemDescriptor#isApplicableIn(ItemGroup)`). If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk. This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it. If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-1bh8-3gb1-4ben
Aliases:
CVE-2024-38808
GHSA-9cmq-m9j5-mvww

Spring Framework vulnerable to Denial of Service In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Older, unsupported versions are also affected. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.

There are no reported fixed by versions.

VCID-jarz-xtnw-ufbz
Aliases:
CVE-2024-47803
GHSA-pj95-ph4q-4qm4

Jenkins exposes multi-line secrets through error messages Jenkins Jenkins provides the `secretTextarea` form field for multi-line secrets. Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field. This can result in exposure of multi-line secrets through those error messages, e.g., in the system log. Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.

There are no reported fixed by versions.

VCID-mkf8-a5k3-83fs
Aliases:
CVE-2021-44549
GHSA-c69w-jj56-834w

Improper Certificate Validation Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429

There are no reported fixed by versions.

VCID-vpxs-mxz3-xqch
Aliases:
CVE-2024-47804
GHSA-f9qj-77q2-h5c5

Jenkins item creation restriction bypass vulnerability Jenkins provides APIs for fine-grained control of item creation: - Authorization strategies can prohibit the creation of items of a given type in a given item group (`ACL#hasCreatePermission2`). - Item types can prohibit creation of new instances in a given item group (`TopLevelItemDescriptor#isApplicableIn(ItemGroup)`). If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk. This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it. If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:51:15.837856+00:00	RedHat Importer	Affected by	VCID-mkf8-a5k3-83fs	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-44549.json	38.0.0
2026-04-01T13:45:40.037958+00:00	RedHat Importer	Affected by	VCID-1bh8-3gb1-4ben	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38808.json	38.0.0
2026-04-01T13:44:51.938002+00:00	RedHat Importer	Affected by	VCID-jarz-xtnw-ufbz	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47803.json	38.0.0
2026-04-01T13:44:51.762352+00:00	RedHat Importer	Affected by	VCID-vpxs-mxz3-xqch	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47804.json	38.0.0