Status: Resolved (View Workflow)
Jenkins version: 2.319.2
Jenkins plugin: publish-over-ssh
Publish Over SSH 1.24
The plugin `publish-over-ssh` appears to be missing from the latest plugin repository (https://updates.jenkins.io/update-center.json) The same plugin was however available in the previous version.
We use that plugin for close to all jobs and thus we are in desperate need for this plugin to be added to the repository again.
Plugin removed from update center until security issues are resolved
Jenkins Security Advisory 2022-01-12 describes the following vulnerabilities:
- SECURITY-2287 - Stored XSS vulnerability (medium severity)
- SECURITY-2290 - CSRF vulnerability and missing permission checks (medium severity)
- SECURITY-2307 - Path traversal vulnerability (medium severity)
- SECURITY-2291 - Password stored in plain text (low severity)
Until someone adopts the plugin, fixes the issues, and releases a new version, it will remain unavailable.
Users that accept the security vulnerabilities can still download the plugin from the Jenkins artifact repository and upload it to their Jenkins installation.
I think the plugin is fixed for vulnerabilities at 1.23 version.
Is it possible to remove suspension?
Marking as resolved because the plugin is in the update center again.
For your information, all publish-over-ssh component type JENKINS issues related to the Publish Over SSH plugin have been transferred to Github: https://github.com/jenkinsci/publish-over-ssh-plugin/issues
Here is the direct link to this issue in Github: https://github.com/jenkinsci/publish-over-ssh-plugin/issues/67
And here is the link to a search for related issues: https://github.com/jenkinsci/publish-over-ssh-plugin/issues?q=%22JENKINS-67590%22
(Note: this is an automated bulk comment)
There's a list at Suspended Plugins.