/
DirectorySecurity AdvisoriesPricing
Sign in
Security Advisories

CGA-hpv8-j7j6-3f2c

Published

Last updated

https://images.chainguard.dev/security/CGA-hpv8-j7j6-3f2c
Package

jenkins-2.440

Repository

Chainguard

Latest Update
Not affected
Aliases
  • CVE-2016-1000027
  • GHSA-4wrc-f8pq-fpqp

Severity

9.8

Critical

CVSS V3

References

  • https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Updates

Status

Not affected

Justification

Vulnerable code not present

Impact

Data serialization is performed by the Jenkins framework, nothing specific to this application. This CVE is disputed by upstream developers: https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417

Status

Affected

Impact

According to the mvn dependency tree, the vulnerable code is present in the codebase and a part of the spring-security-web package. To be able to mitigate this vulnerability, the spring-security-web package needs to be updated to version at least 6.1.17 (https://mvnrepository.com/artifact/org.springframework.security/spring-security-web/6.1.7) or 6.2.2 (https://mvnrepository.com/artifact/org.springframework.security/spring-security-web/6.2.2). That kind of change can cause incompatibility issues with the current codebase, so we cannot apply patches since it requires some code changes. The best way to mitigate this vulnerability is to update the jenkins version to at least 2.446 or later (https://www.jenkins.io/changelog/#v2.446).


Safe Source for Open Sourceâ„¢
Contact us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing