Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54831

False-Positive CVE-2017-2604 after update of OWASP Dependency-Check

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Since version 4.0.0 of the plugin "OWASP Dependency-Check" in every project using quartz, we see the following vulnerability:

      /WEB-INF/lib/quartz-2.3.0.jar , CVE-2017-2604 , Severity: Medium
      In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative 
      monitors due to them not being consistently protected by permission checks (SECURITY-371).
      

      These projects dose not use jenkins dependencies.

      Workaround: downgrade plugin to 3.3.4.

        Attachments

          Activity

          rpaasche Robert Paasche created issue -
          rpaasche Robert Paasche made changes -
          Field Original Value New Value
          Summary False-Positive CVE-2017-2604 False-Positive CVE-2017-2604 after update of OWASP Dependency-Check
          Hide
          sspringett Steve Springett added a comment -

          The Jenkins plugin is simply a wrapper around Dependency-Check core module. Nothing can be done here to fix. False positives need to be reported to https://github.com/jeremylong/DependencyCheck

          Show
          sspringett Steve Springett added a comment - The Jenkins plugin is simply a wrapper around Dependency-Check core module. Nothing can be done here to fix. False positives need to be reported to  https://github.com/jeremylong/DependencyCheck
          sspringett Steve Springett made changes -
          Resolution Won't Do [ 10001 ]
          Status Open [ 1 ] Closed [ 6 ]
          Hide
          rpaasche Robert Paasche added a comment - - edited

          Thank and for notice it is already there https://github.com/jeremylong/DependencyCheck/issues/1579

          Show
          rpaasche Robert Paasche added a comment - - edited Thank and for notice it is already there https://github.com/jeremylong/DependencyCheck/issues/1579

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            rpaasche Robert Paasche
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: