apk package
wolfi/jenkins-2.479
pkg:apk/wolfi/jenkins-2.479
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-41234 | Med | 6.5 | < 2.479.3-r5 | 2.479.3-r5 | Jun 12, 2025 | Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-s | |
| CVE-2025-48734 | — | < 2.479.3-r3 | 2.479.3-r3 | May 28, 2025 | Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no | ||
| CVE-2025-22233 | Low | 3.1 | < 2.479.3-r4 | 2.479.3-r4 | May 16, 2025 | CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Sp | |
| CVE-2025-31721 | — | < 0 | 0 | Apr 2, 2025 | A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. | ||
| CVE-2025-31720 | — | < 0 | 0 | Apr 2, 2025 | A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration. | ||
| CVE-2025-22228 | Hig | 7.4 | < 2.479.3-r1 | 2.479.3-r1 | Mar 20, 2025 | BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. | |
| CVE-2024-52549 | — | < 2.479.1-r2 | 2.479.1-r2 | Nov 13, 2024 | Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence | ||
| CVE-2024-47072 | Hig | 7.5 | < 2.479.1-r1 | 2.479.1-r1 | Nov 8, 2024 | XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configu | |
| CVE-2024-47855 | Med | 5.3 | < 2.479.2-r0 | 2.479.2-r0 | Oct 4, 2024 | util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string. |
- affected < 2.479.3-r5fixed 2.479.3-r5
Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-s
- CVE-2025-48734May 28, 2025affected < 2.479.3-r3fixed 2.479.3-r3
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
- affected < 2.479.3-r4fixed 2.479.3-r4
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Sp
- CVE-2025-31721Apr 2, 2025affected < 0fixed 0
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.
- CVE-2025-31720Apr 2, 2025affected < 0fixed 0
A missing permission check in Jenkins 2.503 and earlier, LTS 2.492.2 and earlier allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration.
- affected < 2.479.3-r1fixed 2.479.3-r1
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
- CVE-2024-52549Nov 13, 2024affected < 2.479.1-r2fixed 2.479.1-r2
Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence
- affected < 2.479.1-r1fixed 2.479.1-r1
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configu
- affected < 2.479.2-r0fixed 2.479.2-r0
util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string.