-
Bug
-
Resolution: Fixed
-
Major
-
None
-
-
2.406 and later include 2.10.0. 2.379 and later include 2.9.2
Getting the following vulnerability in the latest weekly Jenkins build (2.382 ) - MINA SSHD
CVE-2022-45047\n Package: org.apache.sshd:sshd-common\n Package Type: MAVEN\n Affected Version: 2.9.1 Fixed Version: 2.9.2
[JENKINS-70290] CVE-2022-45047 MINA SSHD
We're still getting this vulnerability security alert after installing Jenkins, without any plugins installed. CVE-2022-45047. We're using the latest weekly build
Are there any references to org.apache.sshd:sshd-common Package Type: MAVEN within any of the Jenkins files after installing that could be referencing the affected Version: 2.9.1 ?
Note: we dont have any jenkins plugins installed or mina components installed
Andrew
added a comment - - edited We're still getting this vulnerability security alert after installing Jenkins, without any plugins installed. CVE-2022-45047. We're using the latest weekly build
Are there any references to org.apache.sshd:sshd-common Package Type: MAVEN within any of the Jenkins files after installing that could be referencing the affected Version: 2.9.1 ?
Note: we dont have any jenkins plugins installed or mina components installed Andrew
added a comment - Our vulnerability scanner has detected the following file is out of date:
/usr/share/java/jenkins.war/WEB-INF/detached-plugins/mina-sshd-api-common.hpi/WEB-INF/lib/sshd-common-2.9.1.jar
{{}}
{{Latest version is }}2.9.2
Can someone update this within the next weekly Jenkins install ?
Andrew
added a comment - Our vulnerability scanner has detected the following file is out of date:
/usr/share/java/jenkins.war/WEB-INF/detached-plugins/mina-sshd-api-common.hpi/WEB-INF/lib/sshd-common-2.9.1.jar
{{}}
{{Latest version is }}2.9.2
Can someone update this within the next weekly Jenkins install ? 
Make sure you're using an up-to-date version of all mina components, the latest release, 2.9.2-50.va_0e1f42659a_a, bundles Apache's 2.9.2 version.