jordarlu
commented
8 months ago Looks like these CVEs could be caused by cached dependencies from others as we cannot find cloudbees-folder specified in build.gradle, and we tried to avoid adding new individual dependency to prevent maintanence difficulty in the future.
I also tried to bump workflowCpsGlobalLibraryPluginVersion to the latest 609.vd95673f149b_b, it did fix 7 CVEs but also introduced another 6 new CVEs in the meantime ; hence, we may have to hold for it ,,
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-40336
### Vulnerable Library - cloudbees-folder-6.16.jarThis plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Dependency Hierarchy: - :x: **cloudbees-folder-6.16.jar** (Vulnerable Library)
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
### Vulnerability DetailsA cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.
Publish Date: 2023-08-16
URL: CVE-2023-40336
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40336
Release Date: 2023-08-16
Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-40338
### Vulnerable Library - cloudbees-folder-6.16.jarThis plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Dependency Hierarchy: - :x: **cloudbees-folder-6.16.jar** (Vulnerable Library)
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
### Vulnerability DetailsJenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.
Publish Date: 2023-08-16
URL: CVE-2023-40338
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40338
Release Date: 2023-08-16
Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-40337
### Vulnerable Library - cloudbees-folder-6.16.jarThis plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Dependency Hierarchy: - :x: **cloudbees-folder-6.16.jar** (Vulnerable Library)
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
### Vulnerability DetailsA cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.
Publish Date: 2023-08-16
URL: CVE-2023-40337
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40337
Release Date: 2023-08-16
Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.