Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61511

Outdated/vulnerable dependency (commons-io)

    XMLWordPrintable

Details

    Description

      The library commons-io contains a vulnerability in all released versions. The correction is planned for 2.7, but unreleased yet. To prevent any issue with this library, please ensure you are not using FileNameUtils.normalize and post your analysis here.

      Ticket to follow the vulnerability:

      https://issues.apache.org/jira/browse/IO-559

      Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to:

      Thank you.

      by Ramón León

      Attachments

        Issue Links

          Activity

            foundation_security_members CloudBees Foundation Security created issue -
            foundation_security_members CloudBees Foundation Security made changes -
            Field Original Value New Value
            Description The library *_commons-io_* contains a vulnerability in all released versions. The correction is planned for 2.7, but unreleased yet. To prevent any issue with this library, please ensure you are not using _FileNameUtils.normalize_ and post your analysis here.

            Ticket to follow the vulnerability:

            https://issues.apache.org/jira/browse/IO-559

            _by_ [_Ramón León_|https://issues.jenkins-ci.org/secure/ViewProfile.jspa?name=MRamonLeon]
            The library *_commons-io_* contains a vulnerability in all released versions. The correction is planned for 2.7, but unreleased yet. To prevent any issue with this library, please ensure you are not using _FileNameUtils.normalize_ and post your analysis here.

            Ticket to follow the vulnerability:

            https://issues.apache.org/jira/browse/IO-559

            Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to:

            * avoid security reports warning about that
            * avoid future risky uses of the library that may exploit the vulnerability
            If you like, you can use the bom approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/

            Thank you.

            _by_ [_Ramón León_|https://issues.jenkins-ci.org/secure/ViewProfile.jspa?name=MRamonLeon]
            foundation_security_members CloudBees Foundation Security made changes -
            Link This issue relates to JENKINS-61666 [ JENKINS-61666 ]
            donmccasland Don McCasland added a comment - https://github.com/jenkinsci/google-storage-plugin/pull/113
            donmccasland Don McCasland made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            donmccasland Don McCasland made changes -
            Assignee Craig Barber [ craigbarber ] Don McCasland [ donmccasland ]
            donmccasland Don McCasland made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Fixed but Unreleased [ 10203 ]

            Thanks donmccasland - Do we have a timeline for release?

            jhartley Jeremy Hartley added a comment - Thanks donmccasland - Do we have a timeline for release?
            donmccasland Don McCasland made changes -
            Status Fixed but Unreleased [ 10203 ] Resolved [ 5 ]

            People

              donmccasland Don McCasland
              foundation_security_members CloudBees Foundation Security
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: