Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cloudbees-folder-6.16.jar: 3 vulnerabilities (highest severity is: 8.8) #283

Open
mend-for-github-com bot opened this issue Aug 18, 2023 · 1 comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link
Contributor

mend-for-github-com bot commented Aug 18, 2023

Vulnerable Library - cloudbees-folder-6.16.jar

This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.

Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (cloudbees-folder version) Remediation Possible**
CVE-2023-40336 High 8.8 cloudbees-folder-6.16.jar Direct org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
CVE-2023-40338 Medium 4.3 cloudbees-folder-6.16.jar Direct org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
CVE-2023-40337 Medium 4.3 cloudbees-folder-6.16.jar Direct org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-40336

Vulnerable Library - cloudbees-folder-6.16.jar

This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.

Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar

Dependency Hierarchy:

  • cloudbees-folder-6.16.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.

Publish Date: 2023-08-16

URL: CVE-2023-40336

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-40336

Release Date: 2023-08-16

Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-40338

Vulnerable Library - cloudbees-folder-6.16.jar

This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.

Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar

Dependency Hierarchy:

  • cloudbees-folder-6.16.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.

Publish Date: 2023-08-16

URL: CVE-2023-40338

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-40338

Release Date: 2023-08-16

Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-40337

Vulnerable Library - cloudbees-folder-6.16.jar

This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.

Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar

Dependency Hierarchy:

  • cloudbees-folder-6.16.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.

Publish Date: 2023-08-16

URL: CVE-2023-40337

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-40337

Release Date: 2023-08-16

Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81

⛑️ Automatic Remediation will be attempted for this issue.


⛑️Automatic Remediation will be attempted for this issue.

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Aug 18, 2023
@mend-for-github-com mend-for-github-com bot changed the title cloudbees-folder-6.16.jar: 3 vulnerabilities (highest severity is: 8.0) cloudbees-folder-6.16.jar: 3 vulnerabilities (highest severity is: 8.8) Aug 24, 2023
@jordarlu
Copy link
Contributor

jordarlu commented Oct 19, 2023

Looks like these CVEs could be caused by cached dependencies from others as we cannot find cloudbees-folder specified in build.gradle, and we tried to avoid adding new individual dependency to prevent maintanence difficulty in the future.

I also tried to bump workflowCpsGlobalLibraryPluginVersion to the latest 609.vd95673f149b_b, it did fix 7 CVEs but also introduced another 6 new CVEs in the meantime ; hence, we may have to hold for it ,,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
Status: 📦 Backlog
Development

No branches or pull requests

2 participants