Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67361

log4j dependency has critical vulnerability CVE-2021-44228 in Bitbar Run-in-Cloud Plugin

      See JENKINS-67353

      https://github.com/jenkinsci/testdroid-run-in-cloud-plugin

      Update to 2.15 is not sufficient due to https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it requires 2.16.
      This one is less important but will still be detected by scanners and alert all users.

          [JENKINS-67361] log4j dependency has critical vulnerability CVE-2021-44228 in Bitbar Run-in-Cloud Plugin

          Mark Waite added a comment -

          As released 1 Aug 2023, testdroid-run-in-cloud plugin now includes log4j 2.17.2 in its hpi file instead of including earlier versions.

           It includes many more jar files in the plugin hpi file than are actually needed (including guava and jsr305 and httpclient-4.5.14 and ...), but as far as I can tell, those unnecessary jar files are not what this issue was reporting.

          Mark Waite added a comment - As released 1 Aug 2023, testdroid-run-in-cloud plugin now includes log4j 2.17.2 in its hpi file instead of including earlier versions.  It includes many more jar files in the plugin hpi file than are actually needed (including guava and jsr305 and httpclient-4.5.14 and ...), but as far as I can tell, those unnecessary jar files are not what this issue was reporting.

            bitbar Bitbar Testdroid
            danielbeck Daniel Beck
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: