cloudbees-folder-6.16.jar: 3 vulnerabilities (highest severity is: 8.8) #283
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
|
Looks like these CVEs could be caused by cached dependencies from others as we cannot find I also tried to bump |
getsaurabh02
moved this from 🆕 New
to Later (6 months plus)
in Engineering Effectiveness Board
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - cloudbees-folder-6.16.jar
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Dependency Hierarchy:
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
Vulnerability Details
A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.
Publish Date: 2023-08-16
URL: CVE-2023-40336
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40336
Release Date: 2023-08-16
Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - cloudbees-folder-6.16.jar
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Dependency Hierarchy:
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
Vulnerability Details
Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.
Publish Date: 2023-08-16
URL: CVE-2023-40338
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40338
Release Date: 2023-08-16
Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - cloudbees-folder-6.16.jar
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Dependency Hierarchy:
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
Vulnerability Details
A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.
Publish Date: 2023-08-16
URL: CVE-2023-40337
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40337
Release Date: 2023-08-16
Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: