Skip to content
This repository has been archived by the owner on Oct 25, 2023. It is now read-only.

workflow-job-1207.ve6191ff089f8.jar: 1 vulnerabilities (highest severity is: 5.4) #93

Open
mend-bolt-for-github bot opened this issue May 18, 2023 · 0 comments
Open

workflow-job-1207.ve6191ff089f8.jar: 1 vulnerabilities (highest severity is: 5.4) #93

mend-bolt-for-github bot opened this issue May 18, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented May 18, 2023
edited
Loading

Vulnerable Library - workflow-job-1207.ve6191ff089f8.jar

The Jenkins Plugins Parent POM Project

Path to vulnerable library: /setup/jenkins/plugins/workflow-job/WEB-INF/lib/workflow-job.jar

Found in HEAD commit: c737bff522acd627979af76e7bd3a589477f0497

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (workflow-job version) Remediation Possible**
CVE-2023-32977 Medium 5.4 workflow-job-1207.ve6191ff089f8.jar Direct org.jenkins-ci.plugins.workflow:workflow-job:1295.v395eb_7400005

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-32977

Vulnerable Library - workflow-job-1207.ve6191ff089f8.jar

The Jenkins Plugins Parent POM Project

Path to vulnerable library: /setup/jenkins/plugins/workflow-job/WEB-INF/lib/workflow-job.jar

Dependency Hierarchy:

  • workflow-job-1207.ve6191ff089f8.jar (Vulnerable Library)

Found in HEAD commit: c737bff522acd627979af76e7bd3a589477f0497

Found in base branch: dev

Vulnerability Details

Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.

Publish Date: 2023-05-16

URL: CVE-2023-32977

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042

Release Date: 2023-05-16

Fix Resolution: org.jenkins-ci.plugins.workflow:workflow-job:1295.v395eb_7400005

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label May 18, 2023
@mend-bolt-for-github mend-bolt-for-github bot changed the title workflow-job-1207.ve6191ff089f8.jar: 1 vulnerabilities (highest severity is: 7.5) workflow-job-1207.ve6191ff089f8.jar: 1 vulnerabilities (highest severity is: 5.4) Jun 15, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants