jenkins-core-2.176.jar: 71 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com[bot]]

Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jenkins-core version)	Remediation Possible**	Reachability
CVE-2024-23897	Critical	9.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.442,2.426.3	✅
CVE-2021-21696	Critical	9.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2021-21694	Critical	9.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2021-21693	Critical	9.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2021-21692	Critical	9.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2021-21691	Critical	9.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2021-21690	Critical	9.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2023-27898	Critical	9.6	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.375.4,2.387.1,2.394	✅
CVE-2021-21697	Critical	9.1	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2021-21689	Critical	9.1	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2021-21687	Critical	9.1	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2021-21685	Critical	9.1	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2024-43044	High	8.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.452.4,2.462.1,2.471	✅
CVE-2023-43496	High	8.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.414.2,2.424	✅
CVE-2021-21695	High	8.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2020-2160	High	8.8	jenkins-core-2.176.jar	Direct	jenkins_2.228,LTS_2.204.6	✅
CVE-2019-10384	High	8.8	jenkins-core-2.176.jar	Direct	jenkins-2.192;LTS-jenkins-2.176.3	✅
CVE-2020-2099	High	8.6	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.204.2,2.214	✅
CVE-2023-43498	High	8.1	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.414.2,2.424	✅
CVE-2023-43497	High	8.1	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.414.2,2.424	✅
CVE-2021-21686	High	8.1	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2023-35141	High	8.0	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.400,2.401.1	✅
CVE-2021-21605	High	8.0	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.275, org.jenkins-ci.main:jenkins-core:LTS 2.263.2	✅
CVE-2021-21604	High	8.0	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.275, org.jenkins-ci.main:jenkins-core:LTS 2.263.2	✅
CVE-2023-27901	High	7.5	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.375.4,2.387.1,2.394	✅
CVE-2023-27900	High	7.5	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.375.4,2.387.1,2.394	✅
CVE-2022-34174	High	7.5	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.356,2.332.4	✅
CVE-2022-0538	High	7.5	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319.3,2.334	✅
CVE-2021-21688	High	7.5	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.319,2.303.3	✅
CVE-2023-27899	High	7.0	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.375.4,2.387.1,2.394	✅
CVE-2021-21607	Medium	6.5	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.275, org.jenkins-ci.main:jenkins-core:LTS 2.263.2	✅
CVE-2021-21602	Medium	6.5	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.275, org.jenkins-ci.main:jenkins-core:LTS 2.263.2	✅
CVE-2024-43045	Medium	6.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.452.4,2.462.1,2.471	✅
CVE-2021-21610	Medium	6.1	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.275, org.jenkins-ci.main:jenkins-core:LTS 2.263.2	✅
CVE-2020-2100	Medium	5.8	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.204.2,2.219	✅
CVE-2023-43495	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.414.2,2.424	✅
CVE-2023-39151	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.416,2.401.3	✅
CVE-2021-21611	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.275, org.jenkins-ci.main:jenkins-core:LTS 2.263.2	✅
CVE-2020-2231	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.235.4,2.252	✅
CVE-2020-2230	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.235.4,2.252	✅
CVE-2020-2229	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.235.4,2.252	✅
CVE-2020-2223	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.235.2,2.245	✅
CVE-2020-2222	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.235.2,2.245	✅
CVE-2020-2221	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.235.2,2.245	✅
CVE-2020-2220	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.235.2,2.245	✅
CVE-2020-2163	Medium	5.4	jenkins-core-2.176.jar	Direct	jenkins_2.228,LTS_2.204.6	✅
CVE-2020-2162	Medium	5.4	jenkins-core-2.176.jar	Direct	jenkins_2.228,LTS_2.204.6	✅
CVE-2020-2161	Medium	5.4	jenkins-core-2.176.jar	Direct	jenkins_2.228,LTS_2.204.6	✅
CVE-2020-2105	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.204.2:2.219	✅
CVE-2020-2103	Medium	5.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.204.2,2.219	✅
CVE-2019-10405	Medium	5.4	jenkins-core-2.176.jar	Direct	Weekly - 2.197, LTS - 2.176.4	✅
CVE-2019-10404	Medium	5.4	jenkins-core-2.176.jar	Direct	Weekly - 2.197, LTS - 2.176.4	✅
CVE-2019-10403	Medium	5.4	jenkins-core-2.176.jar	Direct	Weekly - 2.197, LTS - 2.176.4	✅
CVE-2023-27904	Medium	5.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.375.4,2.387.1,2.394	✅
CVE-2021-21615	Medium	5.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.263.3,2.276	✅
CVE-2021-21609	Medium	5.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.275, org.jenkins-ci.main:jenkins-core:LTS 2.263.2	✅
CVE-2020-2102	Medium	5.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.204.2,2.219	✅
CVE-2020-2101	Medium	5.3	jenkins-core-2.176.jar	Direct	N/A	❌
CVE-2019-10406	Medium	4.8	jenkins-core-2.176.jar	Direct	Weekly - 2.197, LTS - 2.176.4	✅
CVE-2019-10383	Medium	4.8	jenkins-core-2.176.jar	Direct	jenkins-2.192;jenkins-2.176.3	✅
CVE-2023-27903	Medium	4.4	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.375.4,2.387.1,2.394	✅
CVE-2024-47804	Medium	4.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.462.3,2.479	✅
CVE-2024-47803	Medium	4.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.462.3,2.479	✅
CVE-2023-43494	Medium	4.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.414.2,2.424	✅
CVE-2023-27902	Medium	4.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.394	✅
CVE-2022-20612	Medium	4.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:jenkins-2.319.2;jenkins-2.330	✅
CVE-2021-21640	Medium	4.3	jenkins-core-2.176.jar	Direct	jenkins-2.287	✅
CVE-2021-21639	Medium	4.3	jenkins-core-2.176.jar	Direct	jenkins-2.287	✅
CVE-2021-21606	Medium	4.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.275, org.jenkins-ci.main:jenkins-core:LTS 2.263.2	✅
CVE-2020-2104	Medium	4.3	jenkins-core-2.176.jar	Direct	org.jenkins-ci.main:jenkins-core:2.204.2,2.219	✅
CVE-2017-2602	Medium	4.3	jenkins-core-2.176.jar	Direct	jenkins-2.32.2	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-23897

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.

Publish Date: 2024-01-24

URL: CVE-2024-23897

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314

Release Date: 2024-01-24

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.442,2.426.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21696

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.

Publish Date: 2021-11-04

URL: CVE-2021-21696

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21694

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Publish Date: 2021-11-04

URL: CVE-2021-21694

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21693

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

When creating temporary files, agent-to-controller access to create those files is only checked after they've been created in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Publish Date: 2021-11-04

URL: CVE-2021-21693

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21692

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.

Publish Date: 2021-11-04

URL: CVE-2021-21692

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21691

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Creating symbolic links is possible without the 'symlink' agent-to-controller access control permission in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Publish Date: 2021-11-04

URL: CVE-2021-21691

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21690

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Publish Date: 2021-11-04

URL: CVE-2021-21690

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-27898

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

Publish Date: 2023-03-08

URL: CVE-2023-27898

### CVSS 3 Score Details (9.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037

Release Date: 2023-03-08

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.375.4,2.387.1,2.394

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21697

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions.

Publish Date: 2021-11-04

URL: CVE-2021-21697

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21689

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

FilePath#unzip and FilePath#untar were not subject to any agent-to-controller access control in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Publish Date: 2021-11-04

URL: CVE-2021-21689

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21687

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symbolic links when unarchiving a symbolic link in FilePath#untar.

Publish Date: 2021-11-04

URL: CVE-2021-21687

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21685

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.

Publish Date: 2021-11-04

URL: CVE-2021-21685

### CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2024-43044

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library.

Publish Date: 2024-08-07

URL: CVE-2024-43044

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2024-08-07/

Release Date: 2024-08-07

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.452.4,2.462.1,2.471

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-43496

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.

Publish Date: 2023-09-20

URL: CVE-2023-43496

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-43496

Release Date: 2023-09-20

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.414.2,2.424

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-21695

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

FilePath#listFiles lists files outside directories that agents are allowed to access when following symbolic links in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

Publish Date: 2021-11-04

URL: CVE-2021-21695

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455

Release Date: 2021-11-04

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.319,2.303.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-2160

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

Publish Date: 2020-03-25

URL: CVE-2020-2160

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774

Release Date: 2020-03-25

Fix Resolution: jenkins_2.228,LTS_2.204.6

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2019-10384

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

Publish Date: 2019-08-28

URL: CVE-2019-10384

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10384

Release Date: 2019-08-28

Fix Resolution: jenkins-2.192;LTS-jenkins-2.176.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2020-2099

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.

Publish Date: 2020-01-29

URL: CVE-2020-2099

### CVSS 3 Score Details (8.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-qp4f-2w67-c8hw

Release Date: 2020-03-17

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.204.2,2.214

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2023-43498

### Vulnerable Library - jenkins-core-2.176.jar

Jenkins core code and view files to render HTML.

Library home page: https://jenkins.io/jenkins-parent/jenkins-core/

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.176/95ee06bed42207774c63dc8ead89f79f2a9daee9/jenkins-core-2.176.jar

Dependency Hierarchy: - :x: **jenkins-core-2.176.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

Publish Date: 2023-09-20

URL: CVE-2023-43498

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hq87-h4jg-vxfw

Release Date: 2023-09-20

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.414.2,2.424

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

---

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.