[JENKINS-61511] Outdated/vulnerable dependency (commons-io)

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: google-storage-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show

The library commons-io contains a vulnerability in all released versions. The correction is planned for 2.7, but unreleased yet. To prevent any issue with this library, please ensure you are not using FileNameUtils.normalize and post your analysis here.

Ticket to follow the vulnerability:

https://issues.apache.org/jira/browse/IO-559

Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to:

avoid security reports warning about that
avoid future risky uses of the library that may exploit the vulnerability
If you like, you can use the bom approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/

Thank you.

by Ramón León

relates to

JENKINS-61666 Outdated/vulnerable dependency (commons-io)

Fixed but Unreleased

CloudBees Foundation Security created issue - 2020-03-18 15:57

CloudBees Foundation Security made changes - 2020-03-18 16:27

Description

Original: The library *_commons-io_* contains a vulnerability in all released versions. The correction is planned for 2.7, but unreleased yet. To prevent any issue with this library, please ensure you are not using _FileNameUtils.normalize_ and post your analysis here.

Ticket to follow the vulnerability:

https://issues.apache.org/jira/browse/IO-559

_by_ [_Ramón León_|https://issues.jenkins-ci.org/secure/ViewProfile.jspa?name=MRamonLeon]

New: The library *_commons-io_* contains a vulnerability in all released versions. The correction is planned for 2.7, but unreleased yet. To prevent any issue with this library, please ensure you are not using _FileNameUtils.normalize_ and post your analysis here.

Ticket to follow the vulnerability:

https://issues.apache.org/jira/browse/IO-559

Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to:

* avoid security reports warning about that
* avoid future risky uses of the library that may exploit the vulnerability
If you like, you can use the bom approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/

Thank you.

_by_ [_Ramón León_|https://issues.jenkins-ci.org/secure/ViewProfile.jspa?name=MRamonLeon]

CloudBees Foundation Security made changes - 2020-03-24 13:36

Link

New: This issue relates to ~~JENKINS-61666~~ [ ~~JENKINS-61666~~ ]

Don McCasland made changes - 2020-07-29 19:08

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Don McCasland made changes - 2020-07-29 19:08

Assignee

Original: Craig Barber [ craigbarber ]

New: Don McCasland [ donmccasland ]

Don McCasland made changes - 2020-07-29 19:08

Resolution		New: Fixed [ 1 ]
Status	Original: In Progress [ 3 ]	New: Fixed but Unreleased [ 10203 ]

Don McCasland made changes - 2020-08-17 18:41

Status

Original: Fixed but Unreleased [ 10203 ]

New: Resolved [ 5 ]

Assignee:: Don McCasland

Reporter:: CloudBees Foundation Security

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2020-03-18 15:57

Updated:: 2020-08-17 18:41

Resolved:: 2020-07-29 19:08

Jenkins

Details

Description

Attachments

Issue Links

Activity

People

Dates