CVE-2024-22201 still appears in jenkins/jenkins:2.444-jdk11 image

[pxenofontos]

Jenkins and plugins versions report

Environment

Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

From official documentation from the security advisory https://www.jenkins.io/security/advisory/2024-03-20/#jenkins-security-advisory-2024-03-20, CVE-2024-22201 should have been fixed in 2.444-jdk11. In our scans with Twistlock version 32.03.125 the vulnerability still persists.

On Jenkins version:

• FROM jenkins/jenkins:2.444-jdk11
• CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-22201

Reproduction steps

1. Pull down the official docker image jenkins/jenkins:2.444-jdk11 (Published 6-2-2024 at 1:52 hashID:sha256:338d6c495f56720b07cc1f8d6b5c8a29127c4496c35c5fc5f53461731d7b491e)
2. Use Twistlock version 32.03.125 to scan this docker image

Expected Results

No CVE-2024-22201 should be detected in jenkins/jenkins:2.444-jdk11 as per the fix mentioned in the security advisory

Actual Results

The vulnerability appears in our Twistlock scans as high

Anything else?

Could we please get some insight as to why this happens?

Are you interested in contributing a fix?

No response

[dduportal]

I guess you should contact Twistlock and request they fix their scanning tool?

Let's see what other contributors might say but I don't see what the Jenkins project could do about that (as the reference here is the security advisory you posted).

A few notes:

• 2.444 is 7 weeks old "weekly" release: Are the latest weekly or even LTS release still marked as vulnerable by Twistlock?
• Is the 2.444-jdk17 (default and recommended) marked as well?

[MarkEWaite]

Closing because Twistlock is not the authoritative source for vulnerabilities in Jenkins. The Jenkins security team is the authoritative source for vulnerabilities in Jenkins.