The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:3636 advisory.

    Jenkins is a continuous integration server that monitors the execution of     recurring jobs, such as software builds or cron jobs.

    Security fixes:

    * jenkins-2-plugins: Git-server plugin has an arbitrary file read     vulnerability (CVE-2024-23899)

    * jenkins-plugin/script-security: Sandbox bypass occurs via crafted     constructor bodies (CVE-2024-34144)

    * jenkins-plugin/script-security: Sandbox bypass occurs via sandbox-defined     classes (CVE-2024-34145)

    * jenkins-2-plugins: HTML Publisher plugin has improper input sanitization     (CVE-2024-28149)

    * jetty: Stops accepting new connections from valid clients     (CVE-2024-22201)

    * SSH: Prefix truncation attack on Binary Packet Protocol (BPP)     (CVE-2023-48795)

    * golang-protobuf: Unmarshaling certain forms of invalid JSON in the     protojson.Unmarshal function causes an infinite loop in the     encoding/protojson and internal/encoding/json packages of Golang-protobuf     (CVE-2024-24786).

    * jenkins-2-plugins: Matrix-project plugin has a path traversal     vulnerability (CVE-2024-23900)

    For more details about these security issues, including their impact, CVSS     scores, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:3635 advisory.

    Jenkins is a continuous integration server that monitors the execution of recurring jobs, such as software     builds or cron jobs.

    Security fixes:

    * jenkins-2-plugins: Git-server plugin has an arbitrary file read vulnerability (CVE-2024-23899)

    * jenkins-plugin/script-security: Sandbox bypass occurs via crafted constructor bodies (CVE-2024-34144)

    * jenkins-plugin/script-security: Sandbox bypass occurs via sandbox-defined classes (CVE-2024-34145)

    * jenkins-2-plugins: HTML Publisher plugin has improper input sanitization (CVE-2024-28149)

    * Jetty: Stops accepting new connections from valid clients (CVE-2024-22201)

    * SSH: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

    * golang-protobuf: Unmarshaling certain forms of invalid JSON in the protojson.Unmarshal function causes     an infinite loop in the encoding/protojson and internal/encoding/json packages of Golang-protobuf     (CVE-2024-24786)

    * jenkins-2-plugins: Matrix-project plugin has a path traversal vulnerability (CVE-2024-23900)

    For more details about these security issues, including their impact, CVSS scores, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3780 advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:0817-1 advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 13.5.0.0 versions of Enterprise Manager Base Platform installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2024 CPU advisory.

  - Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager     (component: Agent Next Gen (BSAFE Crypto-J)). The supported version that is affected is 13.5.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover     of Oracle Enterprise Manager Base Platform. (CVE-2022-34381)

  - Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager     (component: Agent Next Gen (Eclipse Jetty)). The supported version that is affected is 13.5.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise     Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in     unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise     Manager Base Platform. (CVE-2024-22201)

  - Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager     (component: Job System (Netty)). The supported version that is affected is 13.5.0.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise     Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to     cause a partial denial of service (partial DOS) of Oracle Enterprise Manager Base Platform.
    (CVE-2024-29025)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:3634 advisory.

    Jenkins is a continuous integration server that monitors the execution of     recurring jobs, such as software builds or cron jobs.

    Security fixes:

    * jenkins-2-plugins: Git-server plugin has an arbitrary file read     vulnerability (CVE-2024-23899)

    * jenkins-plugin/script-security: Sandbox bypass occurs via crafted     constructor bodies (CVE-2024-34144)

    * jenkins-plugin/script-security: Sandbox bypass occurs via sandbox-defined     classes (CVE-2024-34145)

    * jenkins-2-plugins: HTML Publisher plugin has improper input sanitization     (CVE-2024-28149)

    * jetty: Stops accepting new connections from valid clients     (CVE-2024-22201)

    * SSH: Prefix truncation attack on Binary Packet Protocol (BPP)     (CVE-2023-48795)

    * golang-protobuf: Unmarshaling certain forms of invalid JSON in the     protojson.Unmarshal function causes an infinite loop in the     encoding/protojson and internal/encoding/json packages of Golang-protobuf     (CVE-2024-24786)

    * jenkins-2-plugins: Matrix-project plugin has a path traversal     vulnerability (CVE-2024-23900)

    For more details about these security issues, including their impact, CVSS     scores, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.440.2 or Jenkins weekly prior to 2.444. It is, therefore, affected by a vulnerability:

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 12.2.1.4.0 and 14.1.1.0.0 versions of Coherence installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2024 CPU advisory.

  - Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Third Party (Eclipse Jetty)).
    Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP/2 to compromise Oracle Coherence. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     Oracle Coherence. (CVE-2024-22201)

  - Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Third Party (Netty)).     Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows     unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this     vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle     Coherence. (CVE-2024-29025)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5664 advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4597 advisory.

    Jenkins is a continuous integration server that monitors the execution of recurring jobs, such as software     builds or cron jobs.

    Security Fix(es):

    * jenkins-plugin/script-security: Sandbox bypass via sandbox-defined classes (CVE-2024-34145)

    * jenkins-plugin/script-security: Sandbox bypass via crafted constructor bodies (CVE-2024-34144)

    * jenkins-2-plugins: Improper input sanitization in HTML Publisher Plugin (CVE-2024-28149)

    * jenkins-2-plugins: git-server plugin arbitrary file read vulnerability (CVE-2024-23899)

    * jetty: Stop accepting new connections from valid clients (CVE-2024-22201)

    * ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

    * golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when     unmarshaling certain forms of invalid JSON (CVE-2024-24786)

    * jenkins-2-plugins: matrix-project plugin path traversal vulnerability (CVE-2024-23900)

    * runc: File descriptor leak (CVE-2024-21626, Leaky-Vessels)

    * jenkins-2-plugins: git-server plugin arbitrary file read vulnerability (CVE-2024-23899)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 2e3bea0c-f110-11ee-bc57-00e081b7aa2d advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of IBM MQ Server running on the remote host is affected by a vulnerability as referenced in the 7158057 advisory.

  - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP     congested will be leaked when it times out. An attacker can cause many connections to end up in this     state, and the server may run out of file descriptors, eventually causing the server to stop accepting new     connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
    (CVE-2024-22201)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
200118	RHEL 8 : Red Hat Product OCP Tools 4.13 OpenShift Jenkins (RHSA-2024:3636)	Nessus	Red Hat Local Security Checks	6/5/2024	11/7/2024	critical
200120	RHEL 8 : Red Hat Product OCP Tools 4.12 Openshift Jenkins (RHSA-2024:3635)	Nessus	Red Hat Local Security Checks	6/5/2024	11/7/2024	critical
196483	RHEL 7 : jetty (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	5/11/2024	5/31/2024	high
192961	Debian dla-3780 : jetty9 - security update	Nessus	Debian Local Security Checks	4/6/2024	4/6/2024	high
191761	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2024:0817-1)	Nessus	SuSE Local Security Checks	3/9/2024	3/9/2024	high
209256	Oracle Enterprise Manager Cloud Control (October 2024 CPU)	Nessus	Misc.	10/17/2024	10/18/2024	critical
200117	RHEL 8 : Red Hat Product OCP Tools 4.14 OpenShift Jenkins (RHSA-2024:3634)	Nessus	Red Hat Local Security Checks	6/5/2024	11/7/2024	critical
192307	Jenkins LTS < 2.440.2 / Jenkins weekly < 2.444	Nessus	CGI abuses	3/20/2024	6/4/2024	high
202702	Oracle Coherence (Jul 2024 CPU)	Nessus	Misc.	7/19/2024	7/22/2024	high
193483	Debian dsa-5664 : jetty9 - security update	Nessus	Debian Local Security Checks	4/18/2024	4/18/2024	high
202767	RHEL 8 : Red Hat Product OCP Tools 4.15 OpenShift Jenkins (RHSA-2024:4597)	Nessus	Red Hat Local Security Checks	7/22/2024	11/7/2024	critical
192884	FreeBSD : jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty (2e3bea0c-f110-11ee-bc57-00e081b7aa2d)	Nessus	FreeBSD Local Security Checks	4/3/2024	4/3/2024	high
201058	IBM MQ 9.0 <= 9.0.0.26 / 9.1 <= 9.1.0.22 / 9.2 <= 9.2.0.26 / 9.3 < 9.4 CD (7158057)	Nessus	Misc.	6/27/2024	6/27/2024	high

Detections

Analytics

Plugins Search

critical

critical

high

high

high

critical

critical

high

high

high

critical

high

high