Comments (4)
dduportal
commented on June 22, 2024
1
I'm closing this issue as per: https://www.jenkins.io/security/reporting. You need to follow carefully these instruction to responsibly report any vulnerability.
from docker.
dduportal
commented on June 22, 2024
Please, see #1740 (comment) for the curl CVEs. The reports provided here looks really wrong:
$ docker run --rm --entrypoint='' jenkins/jenkins:2.414.3-jdk11 sh -c 'dpkg -l | grep -w curl'
ii curl 7.88.1-10+deb12u4 arm64 command line tool for transferring data with URL syntax
from docker.
dduportal
commented on June 22, 2024
Same, the OpenSSH report looks suspicious:
$ docker run --rm --entrypoint='' jenkins/jenkins:2.414.3-jdk11 sh -c 'dpkg -l | grep -w openssh-client'
ii openssh-client 1:9.2p1-2+deb12u1 arm64 secure shell (SSH) client, for secure access to remote machines
Like the curl package, the image you mentioned ( jenkins/jenkins:2.414.3-jdk11) have the fixed packages, making the request not realistic.
You should check what your "wiz" (No idea what it is) tool is doing and checking but it looks like it's sending you false positives.
from docker.
dduportal
commented on June 22, 2024
As for CVE-2023-44487, please check https://www.jenkins.io/security/advisory/2023-10-18/ which delivered the Jetty server with the patch for Jenkins.
There is a libnghttp2 (shared) library in the images but I can't find any proof of exploit due to this library. As per https://security-tracker.debian.org/tracker/CVE-2023-44487, there are NO fix for nghttp2 webserver but it is not installed.
from docker.
Related Issues (20)
- Unexpected loss of more precise labels in favor of less precise labels HOT 13
- The directory separator used in the Windows build script is dependent on the OS
- latest with jdk17 & almalinux HOT 2
- Update Docker Hub description with JDK17 images instead of JDK11 HOT 2
- Set JDK17 as the default JDK for Windows image
- Publish a Windows image for each supported Java version HOT 2
- `windowsservercore-2019` images use `windowsservercore-1809` as base image HOT 2
- Windows - There should be a set of weekly and LTS short tags not including Jenkins version in their names HOT 4
- After Jenkins docks with ldap, the first login the next day will display a password error. The second login will be successful, and submitting the pipeline using Jenkins' API will fail. Jenkins logs indicate that the connection to ldap has timed out
- JenkinsProject
- `jenkins-plugin-cli` reports `War not found, installing all plugins: /usr/share/java/jenkins.war` HOT 5
- CVE-2024-23897 still exists in latest LTS version jenkins/jenkins:2.440.1-lts-jdk11 HOT 2
- The repository 'https://packagecloud.io/github/git-lfs/debian bookworm InRelease' is not signed. HOT 1
- CVE-2024-22201 still appears in jenkins/jenkins:2.444-jdk11 image HOT 2
- pipeline-input-step:2.8 Test cases run failed (Server Issue) HOT 10
- Add ARM64 Support for Alpine JDK 11 and 17 - Inbound Agent HOT 8
- docker start container failed HOT 2
- Djenkins.install.runSetupWizard=false is not working as expected HOT 5
- versionLT in jenkins-support doesn't treat newer version of workflow-cps as newer HOT 2
- Remove Java 11 images on weekly release line HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker.