Hi Team,
We are using Jenkins in our organization. Pulled latest image jenkins/jenkins:2.448-alpine-jdk17 from docker hub and performed Snyk scan and it reports CVE-2024-23898, CVE-2023-27899 and CVE-2023-43496 High vulnerabilities on jenkins/jenkins:2.448-alpine-jdk17 image.
Can any one please help us resolving above vulnerabilities or any image with no vulnerabilities.
Regards,
Pruthvi.
Have you looked at what those vulnerabilities are before asking? That might give you a hint.
Yes @danielbeck, couple of then are reporting for default file permissions and one is reporting for CLI WebSocket validation.
Right. And what’s the vulnerable component? And who published those CVEs?
Hi @danielbeck, I see those vulnerabilities belongs to security component and published by NIST (NVD)
Don’t blindly trust scanners… Just taking the first CVE, you can quickly find
No, they’re all published by the Jenkins project. Specifically, me. NVD just takes our content and republishes it with their own “enhancements”.
And while NVD content is often wrong, even they don’t claim that 2.448 is affected. Either you’re actually scanning a different image (and then I would expect other results as well), or Snyk is pretty badly wrong.
In this case, Snyk is obviously wrong. For example, Origin Validation Error in org.jenkins-ci.main:jenkins-core | CVE-2024-23898 | Snyk links to [SECURITY-3315] · jenkinsci/jenkins@de45096 · GitHub which looks like this:
Fix information in Snyk simply cannot be trusted. And it’s not just outdated: The statement that the fix is on master but unreleased was never true, as the release is always published before the commit.
