VYPR

apk package

chainguard/jenkins-compat

pkg:apk/chainguard/jenkins-compat

Vulnerabilities (36)

  • CVE-2024-22243HigFeb 23, 2024
    affected < 2.446-r0fixed 2.446-r0

    Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF a

  • CVE-2024-25710Feb 19, 2024
    affected < 2.447-r0fixed 2.447-r0

    Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

  • CVE-2024-26308Feb 19, 2024
    affected < 2.447-r0fixed 2.447-r0

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

  • CVE-2024-23900Jan 24, 2024
    affected < 2.443-r0fixed 2.443-r0

    Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content n

  • CVE-2024-23897KEVJan 24, 2024
    affected < 2.442-r0fixed 2.442-r0

    Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins contro

  • CVE-2024-22233Jan 22, 2024
    affected < 2.442-r0fixed 2.442-r0

    In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Sprin

  • CVE-2023-33201Jul 5, 2023
    affected < 0fixed 0

    Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certif

  • CVE-2023-35116Jun 14, 2023
    affected < 0fixed 0

    jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cycli

  • CVE-2023-27904Mar 8, 2023
    affected < 2.395-r0fixed 2.395-r0

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.

  • CVE-2023-27903Mar 8, 2023
    affected < 2.395-r0fixed 2.395-r0

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controlle

  • CVE-2023-27902Mar 8, 2023
    affected < 2.395-r0fixed 2.395-r0

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier shows temporary directories related to job workspaces, which allows attackers with Item/Workspace permission to access their contents.

  • CVE-2023-27899Mar 8, 2023
    affected < 2.395-r0fixed 2.395-r0

    Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file

  • CVE-2023-27898Mar 8, 2023
    affected < 2.395-r0fixed 2.395-r0

    Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site sc

  • CVE-2023-24998Feb 20, 2023
    affected < 2.395-r0fixed 2.395-r0

    Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur

  • CVE-2022-1471Dec 1, 2022
    affected < 0fixed 0

    SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric

  • CVE-2016-1000027Jan 2, 2020
    affected < 0fixed 0

    Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO

Page 2 of 2