One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0'

swsing · February 12, 2023, 8:19am

I am building and running my shared library project developed in Jenkins groovy. While running the project, I get the below warning:

One or more dependencies were identified with known vulnerabilities in Jenkins Shared Pipeline Library:
script-security-1229.v4880b_b_e905a_6.jar (pkg:maven/org.jenkins-ci.plugins/script-security@1229.v4880b_b_e905a_6, cpe:2.3:a:jenkins:script_security:1229.v4880.e905:a_6:*:*:*:*:*:*) : CVE-2023-24422

Version of dependency/plugin in pom.xml file:

org.owasp.dependency-check-maven - 8.0.1
org.jenkins-ci.plugins.script-security - 1229.v4880b_b_e905a_6

What is the reason for this issue and any idea on how to fix it?

halkeye · February 12, 2023, 8:28am

How do you fix using a version with a security issue? Upgrade to a newer version.

swsing · February 12, 2023, 1:44pm

Hi @halkeye ,
Even with the latest version of org.jenkins-ci.plugins.script-security and org.owasp.dependency-check-maven(8.0.2), I get the same warning.

Topic		Replies	Views
Mitigating CVE-2023-27898 XSS vulnerability in plugin manager and related Ask a question question , sig-security	1	723	March 16, 2023
Vulnerabilities on Jenkins LTS 2.401.1 Ask a question question , docker	5	689	August 8, 2023
CVE-2024-23898, CVE-2023-27899 and CVE-2023-43496 vulnerabilities on jenkins/jenkins:2.448-alpine-jdk17 Community question	7	326	March 13, 2024
Jenkins Warnings Using Jenkins	3	714	March 28, 2023
Discrepancy between Jenkins Documentation and CVE Sources for CVE-2024-23897 Using Jenkins sig-security	0	101	February 28, 2024

One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0'

Related Topics