Critical See JENKINS-67353
https://github.com/jenkinsci/testdroid-run-in-cloud-plugin
Update to 2.15 is not sufficient due to https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it requires 2.16.
This one is less important but will still be detected by scanners and alert all users.
[JENKINS-67361] log4j dependency has critical vulnerability CVE-2021-44228 in Bitbar Run-in-Cloud Plugin
| Priority | Original: Minor [ 4 ] | New: Critical [ 2 ] |
| Description | Original: See JENKINS-67353 |
New:
See JENKINS-67353
(!) Update to 2.15 is not sufficient due to https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it requires 2.16. This one is less important but will still be detected by scanners and alert all users. |
| Labels | Original: CVE-2021-44228 security | New: CVE-2021-44228 CVE-2021-45046 security |
| Description |
Original:
See JENKINS-67353
(!) Update to 2.15 is not sufficient due to https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it requires 2.16. This one is less important but will still be detected by scanners and alert all users. |
New:
See JENKINS-67353
https://github.com/jenkinsci/testdroid-run-in-cloud-plugin (!) Update to 2.15 is not sufficient due to https://nvd.nist.gov/vuln/detail/CVE-2021-45046, it requires 2.16. This one is less important but will still be detected by scanners and alert all users. |
| Labels | Original: CVE-2021-44228 CVE-2021-45046 security | New: CVE-2021-44228 CVE-2021-45046 jcabot:001 jcabot:002 security |
| Released As | New: 3.22.4 https://plugins.jenkins.io/testdroid-run-in-cloud/releases/ | |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Open [ 1 ] | New: Closed [ 6 ] |
As released 1 Aug 2023, testdroid-run-in-cloud plugin now includes log4j 2.17.2 in its hpi file instead of including earlier versions.
It includes many more jar files in the plugin hpi file than are actually needed (including guava and jsr305 and httpclient-4.5.14 and ...), but as far as I can tell, those unnecessary jar files are not what this issue was reporting.