Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3198 advisory.

  - maven: Block repositories using http by default (CVE-2021-26291)

  - SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)

  - snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

  - maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

  - Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  - Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  - apache-commons-text: variable interpolation RCE (CVE-2022-42889)

  - jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin     (CVE-2022-43401, CVE-2022-43403, CVE-2022-43404)

  - jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)

  - jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin     (CVE-2022-43405)

  - jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy     Libraries Plugin (CVE-2022-43406)

  - jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step     Plugin (CVE-2022-43407)

  - jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View     Plugin (CVE-2022-43408)

  - jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin     (CVE-2022-43409)

  - mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

  - jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

  - jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

  - jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin     (CVE-2023-25762)

  - Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

  - Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1064 advisory.

  - Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared     Groovy Libraries Plugin (CVE-2022-29047)

  - Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin     (CVE-2022-30952)

  - jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

  - jackson-databind: use of deeply nested arrays (CVE-2022-42004)

  - jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin     (CVE-2022-43401, CVE-2022-43403, CVE-2022-43404)

  - jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)

  - jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin     (CVE-2022-43405)

  - jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy     Libraries Plugin (CVE-2022-43406)

  - jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step     Plugin (CVE-2022-43407)

  - jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View     Plugin (CVE-2022-43408)

  - jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin     (CVE-2022-43409)

  - jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin     (CVE-2022-43410)

  - mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:0560 advisory.

  - google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can     lead to improper authorization (CVE-2020-7692)

  - snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

  - Jenkins plugin: CSRF vulnerability in Script Security Plugin (CVE-2022-30946)

  - Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin     (CVE-2022-30952)

  - Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  - Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  - jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git (CVE-2022-36882)

  - jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36883, CVE-2022-36884)

  - jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin (CVE-2022-36885)

  - jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin     (CVE-2022-43401, CVE-2022-43403, CVE-2022-43404)

  - jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)

  - jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin     (CVE-2022-43405)

  - jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy     Libraries Plugin (CVE-2022-43406)

  - jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step     Plugin (CVE-2022-43407)

  - jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View     Plugin (CVE-2022-43408)

  - jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin     (CVE-2022-43409)

  - mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

  - jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1     collisions (CVE-2022-45379)

  - jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)

  - jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin     (CVE-2022-45381)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0777 advisory.

  - google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can     lead to improper authorization (CVE-2020-7692)

  - SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)

  - http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

  - snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

  - Jenkins plugin: CSRF vulnerability in Script Security Plugin (CVE-2022-30946)

  - Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin     (CVE-2022-30952)

  - Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)

  - Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)

  - jenkins: Observable timing discrepancy allows determining username validity (CVE-2022-34174)

  - jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git (CVE-2022-36882)

  - jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36883, CVE-2022-36884)

  - jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin (CVE-2022-36885)

  - jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin     (CVE-2022-43401, CVE-2022-43403, CVE-2022-43404)

  - jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)

  - jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin     (CVE-2022-43405)

  - jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy     Libraries Plugin (CVE-2022-43406)

  - jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step     Plugin (CVE-2022-43407)

  - jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View     Plugin (CVE-2022-43408)

  - jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin     (CVE-2022-43409)

  - mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

  - jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1     collisions (CVE-2022-45379)

  - jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)

  - jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin     (CVE-2022-45381)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0777 advisory.

  - PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use     of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the     client that issued the initial authorization request is the one that will be authorized. An attacker is     able to obtain the authorization code using a malicious app on the client-side and use it to gain     authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-     client before 1.31.0. (CVE-2020-7692)

  - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
    Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using     SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend     upgrading to version 2.0 and beyond. (CVE-2022-1471)

  - In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error     handling has a bug that can wind up not properly cleaning up the active connections and associated     resources. This can lead to a Denial of Service scenario where there are no enough resources left to     process good requests. (CVE-2022-2048)

  - The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due     missing to nested depth limitation for collections. (CVE-2022-25857)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08     and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
    (CVE-2022-30946)

  - Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure     permission to access credentials with attacker-specified IDs stored in the private per-user credentials     stores of any attacker-specified user in Jenkins. (CVE-2022-30952)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows     attackers to connect to an attacker-specified HTTP server. (CVE-2022-30953)

  - Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP     endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP     server. (CVE-2022-30954)

  - In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form     allows distinguishing between login attempts with an invalid username, and login attempts with a valid     username and wrong password, when using the Jenkins user database security realm. (CVE-2022-34174)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows     attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause     them to check out an attacker-specified commit. (CVE-2022-36882)

  - A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to     trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check     out an attacker-specified commit. (CVE-2022-36883)

  - The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers     information about the existence of jobs configured to use an attacker-specified Git repository.
    (CVE-2022-36884)

  - Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking     whether the provided and computed webhook signatures are equal, allowing attackers to use statistical     methods to obtain a valid webhook signature. (CVE-2022-36885)

  - A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime     in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to     define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute     arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43401)

  - A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime     in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to     define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute     arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43402)

  - A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script     Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run     sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the     context of the Jenkins controller JVM. (CVE-2022-43403)

  - A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated     synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows     attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox     protection and execute arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43404)

  - A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier     allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed     scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context     of the Jenkins controller JVM. (CVE-2022-43405)

  - A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966     and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run     sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the     context of the Jenkins controller JVM. (CVE-2022-43406)

  - Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the     optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for     the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to     configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection     of any target URL in Jenkins when the 'input' step is interacted with. (CVE-2022-43407)

  - Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps     when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure     Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any     target URL in Jenkins. (CVE-2022-43408)

  - Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly     encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting     (XSS) vulnerability exploitable by attackers able to create Pipelines. (CVE-2022-43409)

  - Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses     Java deserialization to load a serialized java.security.PrivateKey. The class is one of several     implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH     server. (CVE-2022-45047)

  - Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the     SHA-1 hash of the script, making it vulnerable to collision attacks. (CVE-2022-45379)

  - Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to     clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability     exploitable by attackers with Item/Configure permission. (CVE-2022-45380)

  - Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix     interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix     interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the     Jenkins controller file system. (CVE-2022-45381)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:0560 advisory.

  - PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use     of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the     client that issued the initial authorization request is the one that will be authorized. An attacker is     able to obtain the authorization code using a malicious app on the client-side and use it to gain     authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-     client before 1.31.0. (CVE-2020-7692)

  - The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due     missing to nested depth limitation for collections. (CVE-2022-25857)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08     and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.
    (CVE-2022-30946)

  - Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure     permission to access credentials with attacker-specified IDs stored in the private per-user credentials     stores of any attacker-specified user in Jenkins. (CVE-2022-30952)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows     attackers to connect to an attacker-specified HTTP server. (CVE-2022-30953)

  - Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP     endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP     server. (CVE-2022-30954)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows     attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause     them to check out an attacker-specified commit. (CVE-2022-36882)

  - A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to     trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check     out an attacker-specified commit. (CVE-2022-36883)

  - The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers     information about the existence of jobs configured to use an attacker-specified Git repository.
    (CVE-2022-36884)

  - Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking     whether the provided and computed webhook signatures are equal, allowing attackers to use statistical     methods to obtain a valid webhook signature. (CVE-2022-36885)

  - A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime     in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to     define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute     arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43401)

  - A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime     in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to     define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute     arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43402)

  - A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script     Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run     sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the     context of the Jenkins controller JVM. (CVE-2022-43403)

  - A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated     synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows     attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox     protection and execute arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43404)

  - A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier     allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed     scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context     of the Jenkins controller JVM. (CVE-2022-43405)

  - A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966     and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run     sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the     context of the Jenkins controller JVM. (CVE-2022-43406)

  - Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the     optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for     the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to     configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection     of any target URL in Jenkins when the 'input' step is interacted with. (CVE-2022-43407)

  - Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps     when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure     Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any     target URL in Jenkins. (CVE-2022-43408)

  - Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly     encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting     (XSS) vulnerability exploitable by attackers able to create Pipelines. (CVE-2022-43409)

  - Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses     Java deserialization to load a serialized java.security.PrivateKey. The class is one of several     implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH     server. (CVE-2022-45047)

  - Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the     SHA-1 hash of the script, making it vulnerable to collision attacks. (CVE-2022-45379)

  - Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to     clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability     exploitable by attackers with Item/Configure permission. (CVE-2022-45380)

  - Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix     interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix     interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the     Jenkins controller file system. (CVE-2022-45381)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

  - A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime     in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to     define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute     arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43401)

  - A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated     synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows     attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox     protection and execute arbitrary code in the context of the Jenkins controller JVM. (CVE-2022-43404)

  - A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier     allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed     scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context     of the Jenkins controller JVM. (CVE-2022-43405)

  - A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966     and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run     sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the     context of the Jenkins controller JVM. (CVE-2022-43406)

  - Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the     optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for     the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to     configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection     of any target URL in Jenkins when the 'input' step is interacted with. (CVE-2022-43407)

  - Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps     when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure     Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any     target URL in Jenkins. (CVE-2022-43408)

  - Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly     encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting     (XSS) vulnerability exploitable by attackers able to create Pipelines. (CVE-2022-43409)

  - Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were     triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission     to access. (CVE-2022-43410)

  - Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking     whether the provided and expected webhook token are equal, potentially allowing attackers to use     statistical methods to obtain a valid webhook token. (CVE-2022-43411)

  - Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function     when checking whether the provided and expected webhook token are equal, potentially allowing attackers to     use statistical methods to obtain a valid webhook token. (CVE-2022-43412)

  - Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint,     allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in     Jenkins. (CVE-2022-43413)

  - Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a     user-specified directory as test results, allowing attackers able to control agent processes to obtain     test results from files in an attacker-specified directory on the Jenkins controller. (CVE-2022-43414)

  - Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity     (XXE) attacks. (CVE-2022-43415)

  - Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where     it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to     control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version,     install location, and arguments, and attackers additionally able to create files on the Jenkins controller     (e.g., attackers with Item/Configure permission could archive artifacts) to invoke arbitrary OS commands.
    (CVE-2022-43416)

  - Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints,     allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-     specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
    (CVE-2022-43417)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows     attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained     through another method, capturing credentials stored in Jenkins. (CVE-2022-43418)

  - Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the     Jenkins controller where they can be viewed by users with Extended Read permission, or access to the     Jenkins controller file system. (CVE-2022-43419)

  - Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from     the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS)     vulnerability exploitable by attackers able to control or modify Contrast service API responses.
    (CVE-2022-43420)

  - A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows     unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-     specified value. (CVE-2022-43421)

  - Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that     does not limit where it can be executed, allowing attackers able to control agent processes to obtain the     values of Java system properties from the Jenkins controller process. (CVE-2022-43422)

  - Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an     agent/controller message that does not limit where it can be executed, allowing attackers able to control     agent processes to obtain the values of Java system properties from the Jenkins controller process.
    (CVE-2022-43423)

  - Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message     that does not limit where it can be executed, allowing attackers able to control agent processes to obtain     the values of Java system properties from the Jenkins controller process. (CVE-2022-43424)

  - Jenkins Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of     Custom Checkbox Parameter parameters on views displaying parameters, resulting in a stored cross-site     scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. (CVE-2022-43425)

  - Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field,     increasing the potential for attackers to observe and capture it. (CVE-2022-43426)

  - Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in     several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of     credentials stored in Jenkins. (CVE-2022-43427)

  - Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message     that does not limit where it can be executed, allowing attackers able to control agent processes to obtain     the values of Java system properties from the Jenkins controller process. (CVE-2022-43428)

  - Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message     that does not limit where it can be executed, allowing attackers able to control agent processes to read     arbitrary files on the Jenkins controller file system. (CVE-2022-43429)

  - Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to     prevent XML external entity (XXE) attacks. (CVE-2022-43430)

  - Jenkins Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a permission check in an     HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials     stored in Jenkins. (CVE-2022-43431)

  - Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy     protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for     download. (CVE-2022-43432)

  - Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection     for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
    (CVE-2022-43433)

  - Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-     Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins     offers for download. (CVE-2022-43434)

  - Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection     for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
    (CVE-2022-43435)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194295	RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3198)	Nessus	Red Hat Local Security Checks	critical
194221	RHEL 8 : OpenShift Developer Tools and Services for OCP 4.12 (RHSA-2023:1064)	Nessus	Red Hat Local Security Checks	critical
194208	RHEL 8 : OpenShift Container Platform 4.10.51 (RHSA-2023:0560)	Nessus	Red Hat Local Security Checks	critical
193747	RHEL 8 : OpenShift Container Platform 4.9.56 (RHSA-2023:0777)	Nessus	Red Hat Local Security Checks	critical
189442	RHCOS 4 : OpenShift Container Platform 4.9.56 (RHSA-2023:0777)	Nessus	Red Hat Local Security Checks	critical
189429	RHCOS 4 : OpenShift Container Platform 4.10.51 (RHSA-2023:0560)	Nessus	Red Hat Local Security Checks	critical
172085	Jenkins plugins Multiple Vulnerabilities (2022-10-19)	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2022-43407

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical