Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54831

False-Positive CVE-2017-2604 after update of OWASP Dependency-Check

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Since version 4.0.0 of the plugin "OWASP Dependency-Check" in every project using quartz, we see the following vulnerability:

      /WEB-INF/lib/quartz-2.3.0.jar , CVE-2017-2604 , Severity: Medium
      In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative 
      monitors due to them not being consistently protected by permission checks (SECURITY-371).
      

      These projects dose not use jenkins dependencies.

      Workaround: downgrade plugin to 3.3.4.

        Attachments

          Activity

          rpaasche Robert Paasche created issue -
          rpaasche Robert Paasche made changes -
          Field Original Value New Value
          Summary False-Positive CVE-2017-2604 False-Positive CVE-2017-2604 after update of OWASP Dependency-Check
          sspringett Steve Springett made changes -
          Resolution Won't Do [ 10001 ]
          Status Open [ 1 ] Closed [ 6 ]

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            rpaasche Robert Paasche
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: