Multiple vulnerabilities in OpenShift Container Platform 4.9
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 26 |
| CVE-ID | CVE-2022-43402 CVE-2022-45381 CVE-2022-45380 CVE-2022-45379 CVE-2022-45047 CVE-2022-43409 CVE-2022-43408 CVE-2022-43407 CVE-2022-43406 CVE-2022-43405 CVE-2022-43404 CVE-2022-43403 CVE-2022-43401 CVE-2020-7692 CVE-2022-36885 CVE-2022-36884 CVE-2022-36883 CVE-2022-36882 CVE-2022-34174 CVE-2022-30954 CVE-2022-30953 CVE-2022-30952 CVE-2022-30946 CVE-2022-25857 CVE-2022-2048 CVE-2022-1471 |
| CWE-ID | CWE-693 CWE-200 CWE-79 CWE-502 CWE-352 CWE-863 CWE-208 CWE-862 CWE-203 CWE-284 CWE-400 CWE-399 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #26 is available. |
| Vulnerable software Subscribe |
Red Hat OpenShift Container Platform Client/Desktop applications / Software for system administration jenkins (Red Hat package) Operating systems & Components / Operating system package or component jenkins-2-plugins (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 26 vulnerabilities.
1) Protection Mechanism Failure
EUVDB-ID: #VU68596
Risk: Medium
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43402
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in the Groovy language runtime. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU69367
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-45381
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected plugin does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the "file:" prefix interpolator by default. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Stored cross-site scripting
EUVDB-ID: #VU69369
Risk: Low
CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-45380
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Reversible One-Way Hash
EUVDB-ID: #VU69368
Risk: Medium
CVSSv3.1: 7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-45379
CWE-ID: N/A
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected plugin stores whole-script approvals as the SHA-1 hash of the approved script. A remote user can perform collision attacks on the system.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Deserialization of Untrusted Data
EUVDB-ID: #VU70530
Risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-45047
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider class. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Stored cross-site scripting
EUVDB-ID: #VU68602
Risk: Low
CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43409
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in build logs. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site request forgery
EUVDB-ID: #VU68601
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43408
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site request forgery
EUVDB-ID: #VU68600
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43407
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Protection Mechanism Failure
EUVDB-ID: #VU68599
Risk: Medium
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43406
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Protection Mechanism Failure
EUVDB-ID: #VU68598
Risk: Medium
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43405
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Protection Mechanism Failure
EUVDB-ID: #VU68595
Risk: Medium
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43404
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Protection Mechanism Failure
EUVDB-ID: #VU68597
Risk: Medium
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43403
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Protection Mechanism Failure
EUVDB-ID: #VU68594
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-43401
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in the Groovy language runtime. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Incorrect authorization
EUVDB-ID: #VU72076
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-7692
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to missing support for PKCE. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Information Exposure Through Timing Discrepancy
EUVDB-ID: #VU65851
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-36885
CWE-ID:
CWE-208 - Information Exposure Through Timing Discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected plugin does not use a constant-time comparison when checking whether the provided and computed webhook signatures are equal. A remote user can use statistical methods to obtain a valid webhook signature.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Information disclosure
EUVDB-ID: #VU65850
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-36884
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in webhook endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Missing Authorization
EUVDB-ID: #VU65848
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-36883
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can trigger builds of jobs configured to use an attacker-specified Git repository and cause them to check out an attacker-specified commit.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Cross-site request forgery
EUVDB-ID: #VU65847
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-36882
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Observable discrepancy
EUVDB-ID: #VU64604
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-34174
CWE-ID:
CWE-203 - Observable discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to observable discrepancy issue in the login form. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Improper access control
EUVDB-ID: #VU63377
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30954
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in several HTTP endpoints. A remote user can connect to an attacker-specified HTTP server.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Cross-site request forgery
EUVDB-ID: #VU63375
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30953
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Information disclosure
EUVDB-ID: #VU63372
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30952
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user can access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Cross-site request forgery
EUVDB-ID: #VU63359
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30946
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Resource exhaustion
EUVDB-ID: #VU67665
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25857
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling YAML files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Resource management error
EUVDB-ID: #VU65830
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2048
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling invalid HTTP/2 requests. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Deserialization of Untrusted Data
EUVDB-ID: #VU70385
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1471
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the SnakeYaml's Constructor() class. A remote attacker can pass specially crafted yaml content to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: 4.9.0 - 4.9.55
jenkins (Red Hat package): before 2.361.1.1675668150-1.el8
jenkins-2-plugins (Red Hat package): before 4.9.1675668922-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2023:0777
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
