You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like
by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like
by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like
by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like
by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.
mend-for-github-combot
changed the title
cloudbees-folder-6.16.jar: 3 vulnerabilities (highest severity is: 8.0)
cloudbees-folder-6.16.jar: 3 vulnerabilities (highest severity is: 8.8)
Aug 24, 2023
Looks like these CVEs could be caused by cached dependencies from others as we cannot find cloudbees-folder specified in build.gradle, and we tried to avoid adding new individual dependency to prevent maintanence difficulty in the future.
I also tried to bump workflowCpsGlobalLibraryPluginVersion to the latest 609.vd95673f149b_b, it did fix 7 CVEs but also introduced another 6 new CVEs in the meantime ; hence, we may have to hold for it ,,
Vulnerable Library - cloudbees-folder-6.16.jar
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-40336
Vulnerable Library - cloudbees-folder-6.16.jar
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Dependency Hierarchy:
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
Vulnerability Details
A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy folders.
Publish Date: 2023-08-16
URL: CVE-2023-40336
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40336
Release Date: 2023-08-16
Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-40338
Vulnerable Library - cloudbees-folder-6.16.jar
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Dependency Hierarchy:
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
Vulnerability Details
Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.
Publish Date: 2023-08-16
URL: CVE-2023-40338
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40338
Release Date: 2023-08-16
Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-40337
Vulnerable Library - cloudbees-folder-6.16.jar
This plugin allows users to create "folders" to organize jobs. Users can define custom taxonomies (like by project type, organization type etc). Folders are nestable and you can define views within folders. Maintained by CloudBees, Inc.
Library home page: https://github.com/jenkinsci/cloudbees-folder-plugin/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/cloudbees-folder/6.16/53b5e0e56eb9041b71922bed842689c948bce5f9/cloudbees-folder-6.16.jar
Dependency Hierarchy:
Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e
Found in base branch: main
Vulnerability Details
A cross-site request forgery (CSRF) vulnerability in Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier allows attackers to copy a view inside a folder.
Publish Date: 2023-08-16
URL: CVE-2023-40337
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40337
Release Date: 2023-08-16
Fix Resolution: org.jenkins-ci.plugins:cloudbees-folder:6.848.ve3b_fd7839a_81
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: