-
Bug
-
Resolution: Fixed
-
Major
-
None
The library commons-io contains a vulnerability in all released versions. The correction is planned for 2.7, but unreleased yet. To prevent any issue with this library, please ensure you are not using FileNameUtils.normalize and post your analysis here.
Ticket to follow the vulnerability:
https://issues.apache.org/jira/browse/IO-559
Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to:
- avoid security reports warning about that
- avoid future risky uses of the library that may exploit the vulnerability
If you like, you can use the bom approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/
Thank you.
by Ramón León
- relates to
-
-
- Fixed but Unreleased
-
[JENKINS-61511] Outdated/vulnerable dependency (commons-io)
| Description |
Original:
The library *_commons-io_* contains a vulnerability in all released versions. The correction is planned for 2.7, but unreleased yet. To prevent any issue with this library, please ensure you are not using _FileNameUtils.normalize_ and post your analysis here. Ticket to follow the vulnerability: https://issues.apache.org/jira/browse/IO-559 _by_ [_Ramón León_|https://issues.jenkins-ci.org/secure/ViewProfile.jspa?name=MRamonLeon] |
New:
The library *_commons-io_* contains a vulnerability in all released versions. The correction is planned for 2.7, but unreleased yet. To prevent any issue with this library, please ensure you are not using _FileNameUtils.normalize_ and post your analysis here. Ticket to follow the vulnerability: https://issues.apache.org/jira/browse/IO-559 Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to: * avoid security reports warning about that * avoid future risky uses of the library that may exploit the vulnerability If you like, you can use the bom approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/ Thank you. _by_ [_Ramón León_|https://issues.jenkins-ci.org/secure/ViewProfile.jspa?name=MRamonLeon] |
| Link |
New:
This issue relates to |
Don McCasland
made changes -
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Don McCasland
made changes -
| Assignee | Original: Craig Barber [ craigbarber ] | New: Don McCasland [ donmccasland ] |
Don McCasland
made changes -
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: In Progress [ 3 ] | New: Fixed but Unreleased [ 10203 ] |
Don McCasland
made changes -
| Status | Original: Fixed but Unreleased [ 10203 ] | New: Resolved [ 5 ] |
https://github.com/jenkinsci/google-storage-plugin/pull/113