search

snowdensb / job-dsl-plugin

A Groovy DSL for Jenkins Jobs - Sweeeeet!
Apache License 2.0
0 stars 0 forks source link

structs-1.19.jar: 1 vulnerabilities (highest severity is: 3.1) #271

Open mend-for-github-com[bot] opened 5 months ago

mend-for-github-com[bot] commented 5 months ago
Vulnerable Library - structs-1.19.jar

Library plugin for DSL plugins that need names for Jenkins objects.

Library home page: https://wiki.jenkins-ci.org/display/JENKINS/Structs+plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/structs/1.19/39a2d3bc80082de57cffc9bc0d6cd9d58bb94f86/structs-1.19.jar,/caches/modules-2/files-2.1/org.jenkins-ci.plugins/structs/1.19/39a2d3bc80082de57cffc9bc0d6cd9d58bb94f86/structs-1.19.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (structs version) Remediation Possible** Reachability
CVE-2024-39458 Low 3.1 structs-1.19.jar Direct org.jenkins-ci.plugins:structs:338.v848422169819

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-39458 ### Vulnerable Library - structs-1.19.jar

Library plugin for DSL plugins that need names for Jenkins objects.

Library home page: https://wiki.jenkins-ci.org/display/JENKINS/Structs+plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/structs/1.19/39a2d3bc80082de57cffc9bc0d6cd9d58bb94f86/structs-1.19.jar,/caches/modules-2/files-2.1/org.jenkins-ci.plugins/structs/1.19/39a2d3bc80082de57cffc9bc0d6cd9d58bb94f86/structs-1.19.jar

Dependency Hierarchy: - :x: **structs-1.19.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

When Jenkins Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters, potentially resulting in accidental exposure of secrets through the default system log.

Publish Date: 2024-06-26

URL: CVE-2024-39458

### CVSS 3 Score Details (3.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-3371

Release Date: 2024-06-26

Fix Resolution: org.jenkins-ci.plugins:structs:338.v848422169819

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.