Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54831

False-Positive CVE-2017-2604 after update of OWASP Dependency-Check

XMLWordPrintable

      Since version 4.0.0 of the plugin "OWASP Dependency-Check" in every project using quartz, we see the following vulnerability:

      /WEB-INF/lib/quartz-2.3.0.jar , CVE-2017-2604 , Severity: Medium
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative 
monitors due to them not being consistently protected by permission checks (SECURITY-371).

      These projects dose not use jenkins dependencies.

      Workaround: downgrade plugin to 3.3.4.

            Unassigned Unassigned
            rpaasche Ruby Paasche
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: