Sensitive Information Uncleared Before Release Affecting jenkins package, versions <0:2.277.3.1623853726-1.el8


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
1.33% (87th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL8-JENKINS-4400106
  • published26 Jul 2021
  • disclosed27 Nov 2020

Introduced: 27 Nov 2020

CVE-2020-27218  (opens in a new tab)
CWE-226  (opens in a new tab)

How to fix?

Upgrade RHEL:8 jenkins to version 0:2.277.3.1623853726-1.el8 or higher.
This issue was patched in RHSA-2021:2499.

NVD Description

Note: Versions mentioned in the description apply only to the upstream jenkins package and not the jenkins package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

References

CVSS Scores

version 3.1