Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

CVE-2023-24444: Jenkins Security Advisory 2023-01-24

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

CVE-2023-24440: Jenkins Security Advisory 2023-01-24

Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login.

CVE-2023-24424: Jenkins Security Advisory 2023-01-24

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVE-2023-24450: Jenkins Security Advisory 2023-01-24

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

CVE-2023-24425: Jenkins Security Advisory 2023-01-24

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-24433: Jenkins Security Advisory 2023-01-24

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVE-2023-24456: Jenkins Security Advisory 2023-01-24

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2022
*   **CVE-2022-3572.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 2 new advisories · 8e57563a
    
    🤖 GitLab Bot 🤖 authored Jan 20, 2023
    
    8e57563a

CVE-2022-3572: 2022/CVE-2022-3572.json · master · GitLab.org / cves · GitLab

Red Hat Security Advisory 2023-0237-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.8.57 security update  
Advisory ID:       RHSA-2023:0237-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0237  
Issue date:        2023-01-25  
CVE Names:         CVE-2022-41912 CVE-2023-21835 CVE-2023-21843  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.8.57 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.  
Security Fix(es):

* crewjam/saml: Authentication bypass when processing SAML responses  
containing multiple Assertion elements (CVE-2022-41912)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

See the following documentation, which will be updated shortly for this  
release, for important instructions on how to upgrade your cluster and  
fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, and ppc64le architectures.

The image digests may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:c9dfdaa23f71c5faf6cc88a3cc504f7458840b8c860372a8106584739a15b1f2

(For s390x architecture)  
The image digest is  
sha256:ff2557359193568edf71a6160b0d431c01625578fc29ca6c8894f2e46719b475

(For ppc64le architecture)  
The image digest is  
sha256:cfbc2bf134d9a7754a920164bd8189f2f5b5d802c25c0774ab3b4e9c1998ff51

All OpenShift Container Platform 4.8 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-5964 - Placeholder bug for OCP 4.8.0 metadata release  
OCPBUGS-5965 - Placeholder bug for OCP 4.8.0 rpm release

6. References:

https://access.redhat.com/security/cve/CVE-2022-41912  
https://access.redhat.com/security/cve/CVE-2023-21835  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaPdzjgjWX9erEAQg0vw//QzuA21utuuPcMS2hskt1IACyRPrP2e1r  
iWod7sJFac91fcGCq43e4dyc0IUeurEHAh7syX5g9UBaDt1IReTUsF5Fwolbi8js  
Q2xTi8TyYuCqYKpl8yzXXKRu/vd32HfsOhe1W8pyzT77PcPf5QlX329GnMUUsyrr  
l/3eNwRn/eIRWqGXPBFzRM+NVBbLAZ5J17Wpdqu7Ghu+11xSU7cAhrk1BjFaNxHy  
u/s5PLDtz1tCjf8pU8MdkBe/DVWUDCkR1QvPqj5GDRHK/Vq0gyvhX2+m3nDi1VlF  
2XNMy+PVlmnlAoLtRWcaazTvE8VR0aaxyB6iOZQMcDrUMJS+wJD5Oo/zcGjvVNpM  
oXhuSpnkLSEAzb1Z4a0NIdx9hJGP4j252RJYzx4GumwpiNaU4xMr4DoFB/cRE11H  
b2c45+iX1n/Dnj8LaJLUdCSKAHqrFB4gGSjKTlV3KO/xGIYTPn30MSOAGYWR9oDf  
zaPX1AdgNBoQ43gbKP2Uj7/S7iHN575P7t1B1Bfi+Bdgxo6U0sRlgC51LEVCqTtD  
49NkFFzmFQr3KCFIDuHIQaNRyyPU3skAf7mKqUJGblkrbAolZ3Gc+a0RK9kmlx0j  
cdOK6ev73xCs/Ad5SmynJRXTrZB3dmOzh5Gk6QpOAFzPbJr30Qt1dfqAsq7hsVxb  
wNvLA5dg5i8=WVbV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#jira