Hi, Our server is reporting spring vulnerability in Jenkins(v2.401.3) on below paths
/data01/jenkins/%C/jenkins/war/WEB-INF/lib/spring-core-5.3.27.jar
/var/cache/jenkins/war/WEB-INF/lib/spring-core-5.3.14.jar
/var/cache/jenkins-bkp/war/WEB-INF/lib/spring-core-2.5.6.SEC03.jar
/data01/jenkins/%C/jenkins/war/WEB-INF/lib/spring-core-5.3.27.jar
Do we have higher version of Spring Framework Jar (5.3.32) in higher LTS of Jenkins? If not ,Are we planning to upgrade Spring jars to higher version?
A reply from @NotMyFault to JENKINS-72879 says that vulnerability does not affect Jenkins. You should probably inform your scanner vendor that the scanner is incorrect in that case.
I think that you should be much more concerned about the known security vulnerabilities in Jenkins 2.401.3. The January 24, 2024 Jenkins security advisory provides more details and advises that an upgrade to Jenkins 2.426.3 or newer is the best mitigation for the reported issues.
The security advisory is discussed further in the “What’s new in Jenkins 2.426.3” live stream.
You should probably also be more concerned if the operating system running Jenkins is CentOS 7 or another Red Hat Enterprise Linux 7 derivative. RHEL 7 end of life in Jenkins was Nov 16, 2023. Red Hat will end their public support of RHEL 7 June 30, 2024.