Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0017 advisory.

  - http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

  - Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared     Groovy Libraries Plugin (CVE-2022-29047)

  - Jenkins plugin: Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in     Pipeline: Groovy Plugin (CVE-2022-30945)

  - Jenkins plugin: CSRF vulnerability in Script Security Plugin (CVE-2022-30946)

  - Jenkins plugin: Mercurial SCM plugin can check out from the controller file system (CVE-2022-30948)

  - Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin     (CVE-2022-30952)

  - Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  - Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  - jenkins: Observable timing discrepancy allows determining username validity (CVE-2022-34174)

  - jenkins-plugin/junit: Stored XSS vulnerability in JUnit Plugin (CVE-2022-34176)

  - jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step Plugin (CVE-2022-34177)

  - jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client (CVE-2022-36881)

  - jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git (CVE-2022-36882)

  - jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36883, CVE-2022-36884)

  - jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin (CVE-2022-36885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0017 advisory.

  - In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error     handling has a bug that can wind up not properly cleaning up the active connections and associated     resources. This can lead to a Denial of Service scenario where there are no enough resources left to     process good requests. (CVE-2022-2048)

  - Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows     attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured     SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved     library in their pull request, even if the Pipeline is configured to not trust them. (CVE-2022-29047)

  - Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on     the classpath of Jenkins and Jenkins plugins in sandboxed pipelines. (CVE-2022-30945)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08     and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
    (CVE-2022-30946)

  - Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some     SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining     limited information about other projects' SCM contents. (CVE-2022-30948)

  - Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure     permission to access credentials with attacker-specified IDs stored in the private per-user credentials     stores of any attacker-specified user in Jenkins. (CVE-2022-30952)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows     attackers to connect to an attacker-specified HTTP server. (CVE-2022-30953)

  - Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP     endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP     server. (CVE-2022-30954)

  - In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form     allows distinguishing between login attempts with an invalid username, and login attempts with a valid     username and wrong password, when using the Jenkins user database security realm. (CVE-2022-34174)

  - Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results,     resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update     permission. (CVE-2022-34176)

  - Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file`     parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter     name without sanitization as a relative path inside a build-related directory, allowing attackers able to     configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with     attacker-specified content. (CVE-2022-34177)

  - jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client (CVE-2022-36881)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows     attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause     them to check out an attacker-specified commit. (CVE-2022-36882)

  - A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to     trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check     out an attacker-specified commit. (CVE-2022-36883)

  - The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers     information about the existence of jobs configured to use an attacker-specified Git repository.
    (CVE-2022-36884)

  - Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking     whether the provided and computed webhook signatures are equal, allowing attackers to use statistical     methods to obtain a valid webhook signature. (CVE-2022-36885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2022:7865 advisory.

  - jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client (CVE-2022-36881)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.303.x prior to 2.303.30.0.15, or 2.x prior to 2.346.2.3. It is, therefore, affected by multiple vulnerabilities, including the following:

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows     attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause     them to check out an attacker-specified commit. (CVE-2022-36882)

  - Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the application path of     the applications when configuring a deployment, allowing attackers with Item/Configure permission to     upload arbitrary files from the Jenkins controller file system to the selected service. (CVE-2022-36889)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier allows     attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained     through another method, capturing credentials stored in Jenkins. (CVE-2022-36920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194338	RHEL 8 : OpenShift Container Platform 4.8.56 (RHSA-2023:0017)	Nessus	Red Hat Local Security Checks	high
189418	RHCOS 4 : OpenShift Container Platform 4.8.56 (RHSA-2023:0017)	Nessus	Red Hat Local Security Checks	high
170379	RHEL 8 : OpenShift Container Platform 4.10.41 (RHSA-2022:7865)	Nessus	Red Hat Local Security Checks	high
165764	Jenkins Enterprise and Operations Center 2.303.x < 2.303.30.0.15 / 2.346.2.3 Multiple Vulnerabilities (CloudBees Security Advisory 2022-07-27)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2022-36881

high

Tenable Plugins

high

high

high

high