jenkins-2.440
Chainguard
9.8
CVSS V3
Status
Justification
Impact
Data serialization is performed by the Jenkins framework, nothing specific to this application. This CVE is disputed by upstream developers: https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417
Status
Impact
According to the mvn dependency tree, the vulnerable code is present in the codebase and a part of the spring-security-web
package. To be able to mitigate this vulnerability, the spring-security-web
package needs to be updated to version at least 6.1.17 (https://mvnrepository.com/artifact/org.springframework.security/spring-security-web/6.1.7) or 6.2.2 (https://mvnrepository.com/artifact/org.springframework.security/spring-security-web/6.2.2). That kind of change can cause incompatibility issues with the current codebase, so we cannot apply patches since it requires some code changes. The best way to mitigate this vulnerability is to update the jenkins version to at least 2.446 or later (https://www.jenkins.io/changelog/#v2.446).