Is Jenkins 2.440.3 impacted by CVE-2024-22262?

Jenkins setup: jenkins/jenkins:2.440.3-lts
We’re using docker image releases of Jenkins, preferring the LTS lines in the environment, but since we’ve enforced Trivy scans for all our “infra”/tools before their deployment, we kind of cannot upgrade/update our Jenkins instances due to the fact that Trivy detects CVE-2024-22262 on latest (and of course previous) LTS release.
The CVE info can be found in many publicly accessible security advisories and is reported by Trivy on the LTS image as follows:

│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │


│ org.springframework:spring-web (jenkins.war) │ CVE-2024-22262 │ HIGH │ fixed │ 5.3.33 │ 5.3.34, 6.0.19, 6.1.6 │ springframework: URL Parsing with Host Validation │

Is there a plan to release a fixed 2.440.4-lts free of said vulnerability and potentially of all high/critical vulnerabilities at the time of their release, or is this vulnerability detection just a false positive/not impacting jenkins and should be excluded from Trivy checks? If the latter, where can I find a documentation entry from Jenkins to treat this is false positive in the official Jenkins image? I’ve checked Jenkins Advisories page but haven’t found any statement regarding this CVE being a false positive or which LTS version could be coming with a fix… I’m simply wondering, if Jenkins team is potentially using GitHub to build and publish the images and this CVE has been for quite a while, why wasn’t it addressed before the latest images were pushed to registry?

1 Like

There is no plan to release 2.440.4. The next LTS release will be 2.452.1 and is scheduled for next Wednesday, May 15, 2024. The Jenkins calendar shows upcoming releases.

That vulnerability is a false positive as far as I can tell. The CVE-2024-22262 report from the Spring project says:

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

Jenkins core does not use UriComponentsBuilder. Based on the description text of the CVE, it is not vulnerable.

The Jenkins project does not generally publish declarations that vulnerability reports in dependencies are false positives. The “Non-issues” section of the reporting vulnerabilities page says

We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins):

  • Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we may inform maintainers about the need to update their dependencies and track progress in the SECURITY Jira project, no security advisory will be published for these.

If you have a plausible or demonstrated exploit in a dependency, please follow the instructions in the reporting vulnerabilities page and report it through the process that is described there.