The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.222.x prior to 2.222.43.0.4, 2.249.x prior to 2.249.30.0.4, or 2.x prior to 2.277.2.3. It is, therefore, affected by multiple vulnerabilities, including the following:

  - Reflected XSS vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin. The     vulnerability affects all version 6.7 and earlier versions. (CVE-2021-22510)

  - Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins     plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow     unconditionally disabling of SSL/TLS certificates. (CVE-2021-22511)

  - Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin -     Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow     form validation without permission checks. (CVE-2021-22512)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.277.2 or Jenkins weekly prior to 2.287. It is, therefore, affected by multiple vulnerabilities:

  - Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after     loading the data submitted to the `config.xml` REST API endpoint of a node, allowing attackers with     Computer/Configure permission to replace a node with one of a different type. (CVE-2021-21639)

  - Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has     an allowed name, allowing attackers with View/Create permission to create views with invalid or already-     used names. (CVE-2021-21640)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows     attackers to to promote builds. (CVE-2021-21641)     
  - Improper Certificate Validation vulnerability in Micro Focus Application Automation Tools Plugin -     Jenkins plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could     allow unconditionally disabling of SSL/TLS certificates. (CVE-2021-22511)     
  - Cross-Site Request Forgery (CSRF) vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins     plugin. The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow form     validation without permission checks. (CVE-2021-22512)     
  - Missing Authorization vulnerability in Micro Focus Application Automation Tools Plugin - Jenkins plugin.     The vulnerability affects version 6.7 and earlier versions. The vulnerability could allow access without     permission checks. (CVE-2021-22513)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2437 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.2. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2021:2438

    Security Fix(es):

    * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)

    * golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

    * openshift: Injected service-ca.crt incorrectly contains additional internal CAs (CVE-2021-3636)

    * python-eventlet: improper handling of highly compressed data and memory allocation with excessive size     allows DoS (CVE-2021-21419)

    * jenkins-2-plugins/matrix-auth: Incorrect permission checks in Matrix Authorization Strategy Plugin     (CVE-2021-21623)

    * jenkins-2-plugins/credentials: Reflected XSS vulnerability in Credentials Plugin (CVE-2021-21648)

    * kubernetes: Validating Admission Webhook does not observe some previous fields (CVE-2021-25735)

    * jenkins: lack of type validation in agent related REST API (CVE-2021-21639)

    * jenkins: view name validation bypass (CVE-2021-21640)

    * kubernetes: Holes in EndpointSlice Validation Enable Host Network Hijack (CVE-2021-25737)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-between-     minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1551 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.11. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHBA-2021:1550

    Security Fix(es):

    * golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)

    * golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

    * jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)

    * jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-     minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
155586	Jenkins Enterprise and Operations Center < 2.222.43.0.4 / 2.249.30.0.4 / 2.277.2.3 Multiple Vulnerabilities (CloudBees Security Advisory 2021-04-07)	Nessus	CGI abuses	11/18/2021	6/4/2024	medium
148418	Jenkins LTS < 2.277.2 / Jenkins weekly < 2.287 Multiple Vulnerabilities	Nessus	CGI abuses	4/9/2021	6/5/2024	medium
152103	RHEL 7 / 8 : OpenShift Container Platform 4.8.2 (RHSA-2021:2437)	Nessus	Red Hat Local Security Checks	7/27/2021	11/7/2024	high
149793	RHEL 7 / 8 : OpenShift Container Platform 4.7.11 (RHSA-2021:1551)	Nessus	Red Hat Local Security Checks	5/20/2021	11/8/2024	medium

Detections

Analytics

Plugins Search

medium

medium

high

medium