Is Jenkins 2.440.3 impacted by CVE-2024-22262?

There is no plan to release 2.440.4. The next LTS release will be 2.452.1 and is scheduled for next Wednesday, May 15, 2024. The Jenkins calendar shows upcoming releases.

That vulnerability is a false positive as far as I can tell. The CVE-2024-22262 report from the Spring project says:

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

Jenkins core does not use UriComponentsBuilder. Based on the description text of the CVE, it is not vulnerable.

The Jenkins project does not generally publish declarations that vulnerability reports in dependencies are false positives. The “Non-issues” section of the reporting vulnerabilities page says

We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins):

  • Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we may inform maintainers about the need to update their dependencies and track progress in the SECURITY Jira project, no security advisory will be published for these.

If you have a plausible or demonstrated exploit in a dependency, please follow the instructions in the reporting vulnerabilities page and report it through the process that is described there.

2 Likes