The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:0817-1 advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3780 advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5664 advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 2e3bea0c-f110-11ee-bc57-00e081b7aa2d advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of IBM MQ Server running on the remote host is affected by a vulnerability as referenced in the 7158057 advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.440.2 or Jenkins weekly prior to 2.444. It is, therefore, affected by a vulnerability:

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:3634 advisory.

    Jenkins is a continuous integration server that monitors the execution of     recurring jobs, such as software builds or cron jobs.

    Security fixes:

    * jenkins-2-plugins: Git-server plugin has an arbitrary file read     vulnerability (CVE-2024-23899)

    * jenkins-plugin/script-security: Sandbox bypass occurs via crafted     constructor bodies (CVE-2024-34144)

    * jenkins-plugin/script-security: Sandbox bypass occurs via sandbox-defined     classes (CVE-2024-34145)

    * jenkins-2-plugins: HTML Publisher plugin has improper input sanitization     (CVE-2024-28149)

    * jetty: Stops accepting new connections from valid clients     (CVE-2024-22201)

    * SSH: Prefix truncation attack on Binary Packet Protocol (BPP)     (CVE-2023-48795)

    * golang-protobuf: Unmarshaling certain forms of invalid JSON in the     protojson.Unmarshal function causes an infinite loop in the     encoding/protojson and internal/encoding/json packages of Golang-protobuf     (CVE-2024-24786)

    * jenkins-2-plugins: Matrix-project plugin has a path traversal     vulnerability (CVE-2024-23900)

    For more details about these security issues, including their impact, CVSS     scores, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:3635 advisory.

    Jenkins is a continuous integration server that monitors the execution of recurring jobs, such as software     builds or cron jobs.

    Security fixes:

    * jenkins-2-plugins: Git-server plugin has an arbitrary file read vulnerability (CVE-2024-23899)

    * jenkins-plugin/script-security: Sandbox bypass occurs via crafted constructor bodies (CVE-2024-34144)

    * jenkins-plugin/script-security: Sandbox bypass occurs via sandbox-defined classes (CVE-2024-34145)

    * jenkins-2-plugins: HTML Publisher plugin has improper input sanitization (CVE-2024-28149)

    * Jetty: Stops accepting new connections from valid clients (CVE-2024-22201)

    * SSH: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

    * golang-protobuf: Unmarshaling certain forms of invalid JSON in the protojson.Unmarshal function causes     an infinite loop in the encoding/protojson and internal/encoding/json packages of Golang-protobuf     (CVE-2024-24786)

    * jenkins-2-plugins: Matrix-project plugin has a path traversal vulnerability (CVE-2024-23900)

    For more details about these security issues, including their impact, CVSS scores, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:3636 advisory.

    Jenkins is a continuous integration server that monitors the execution of     recurring jobs, such as software builds or cron jobs.

    Security fixes:

    * jenkins-2-plugins: Git-server plugin has an arbitrary file read     vulnerability (CVE-2024-23899)

    * jenkins-plugin/script-security: Sandbox bypass occurs via crafted     constructor bodies (CVE-2024-34144)

    * jenkins-plugin/script-security: Sandbox bypass occurs via sandbox-defined     classes (CVE-2024-34145)

    * jenkins-2-plugins: HTML Publisher plugin has improper input sanitization     (CVE-2024-28149)

    * jetty: Stops accepting new connections from valid clients     (CVE-2024-22201)

    * SSH: Prefix truncation attack on Binary Packet Protocol (BPP)     (CVE-2023-48795)

    * golang-protobuf: Unmarshaling certain forms of invalid JSON in the     protojson.Unmarshal function causes an infinite loop in the     encoding/protojson and internal/encoding/json packages of Golang-protobuf     (CVE-2024-24786).

    * jenkins-2-plugins: Matrix-project plugin has a path traversal     vulnerability (CVE-2024-23900)

    For more details about these security issues, including their impact, CVSS     scores, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
191761	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2024:0817-1)	Nessus	SuSE Local Security Checks	3/9/2024	3/9/2024	high
192961	Debian dla-3780 : jetty9 - security update	Nessus	Debian Local Security Checks	4/6/2024	4/6/2024	high
193483	Debian dsa-5664 : jetty9 - security update	Nessus	Debian Local Security Checks	4/18/2024	4/18/2024	high
192884	FreeBSD : jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty (2e3bea0c-f110-11ee-bc57-00e081b7aa2d)	Nessus	FreeBSD Local Security Checks	4/3/2024	4/3/2024	high
201058	IBM MQ 9.0 <= 9.0.0.26 / 9.1 <= 9.1.0.22 / 9.2 <= 9.2.0.26 / 9.3 < 9.4 CD (7158057)	Nessus	Misc.	6/27/2024	6/27/2024	high
192307	Jenkins LTS < 2.440.2 / Jenkins weekly < 2.444	Nessus	CGI abuses	3/20/2024	6/4/2024	high
200117	RHEL 8 : Red Hat Product OCP Tools 4.14 OpenShift Jenkins (RHSA-2024:3634)	Nessus	Red Hat Local Security Checks	6/5/2024	6/5/2024	medium
200120	RHEL 8 : Red Hat Product OCP Tools 4.12 Openshift Jenkins (RHSA-2024:3635)	Nessus	Red Hat Local Security Checks	6/5/2024	6/5/2024	medium
200118	RHEL 8 : Red Hat Product OCP Tools 4.13 OpenShift Jenkins (RHSA-2024:3636)	Nessus	Red Hat Local Security Checks	6/5/2024	6/5/2024	medium

Detections

Analytics

Plugins Search

high

high

high

high

high

high

medium

medium

medium