CVE-2024-43045 (Medium) detected in jenkins-core-2.426.3.jar

[mend-for-github-com]

CVE-2024-43045 - Medium Severity Vulnerability

Vulnerable Library - jenkins-core-2.426.3.jar

Jenkins core code and view files to render HTML.

Library home page: https://github.com/jenkinsci/jenkins

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.426.3/eee94c4c0c78e715d2a599eb66a5a89c5eed9d18/jenkins-core-2.426.3.jar

Dependency Hierarchy:

• ❌ jenkins-core-2.426.3.jar (Vulnerable Library)

Found in HEAD commit: b439dcbcaec85cb505ff1870eaac296568ab9261

Found in base branch: main

Vulnerability Details

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views".

Publish Date: 2024-08-07

URL: CVE-2024-43045

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2024-08-07/

Release Date: 2024-08-07

Fix Resolution: org.jenkins-ci.main:jenkins-core:2.452.4,2.462.1,2.471

---

• Check this box to open an automated fix PR

[gaiksaya]

Duplicate of #4934

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[krisfreedain]

@gaiksaya should this be closed?

Catch All Triage - 1, 2, 3

[gaiksaya]

Yes! Duplicate of #4934