Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61666

Outdated/vulnerable dependency (commons-io)

    XMLWordPrintable

Details

    Description

      The plugin includes a library (commons-io) with a vulnerability. Please update it to 2.6. In addition to that, a second vulnerability is present in 2.6 on the method FileNameUtils.normalize. As the correction is planned for 2.7 but this version is not yet released, please ensure you are not using this method in your code and provide your finding in this ticket.

      Ticket to follow the second vulnerability:

      https://issues.apache.org/jira/browse/IO-559

      Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to:

      Thank you.
      by FĂ©lix Queiruga

      Attachments

        Issue Links

          Activity

            foundation_security_members CloudBees Foundation Security created issue -
            foundation_security_members CloudBees Foundation Security made changes -
            Field Original Value New Value
            Link This issue relates to JENKINS-61511 [ JENKINS-61511 ]
            foundation_security_members CloudBees Foundation Security made changes -
            Priority Minor [ 4 ] Major [ 3 ]
            donmccasland Don McCasland added a comment - https://github.com/jenkinsci/google-oauth-plugin/pull/92
            donmccasland Don McCasland made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            donmccasland Don McCasland made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Fixed but Unreleased [ 10203 ]
            jhartley Jeremy Hartley added a comment - Thanks donmccasland

            People

              astroilov Andrey Stroilov
              foundation_security_members CloudBees Foundation Security
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: