Details
-
Task
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Not A Defect
-
None
-
Jenkins 2.289.3
SAML Plugin: 2.0.7
Description
Hello,
Could you confirm that the SAML Plugin https://github.com/jenkinsci/saml-plugin is not impacted by this thread: https://tanzu.vmware.com/security/cve-2022-22965
If so, when do you plan to deliver a fix ?
Regards
Attachments
Activity
from https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Am I Impacted?
These are the requirements for the specific scenario from the report:JDK 9 or higher
Apache Tomcat as the Servlet container.
Packaged as a traditional WAR (in contrast to a Spring Boot executable jar).
spring-webmvc or spring-webflux dependency.
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
since the plugin does not use either spring-webmvc nor spring-webflux it is not affected
Kalle Niemitalo
added a comment - The Jenkins blog post Spring Framework RCE, CVE-2022-22965 says no impact was found in the Jenkins core or plugins. Discussion topic.
Kalle Niemitalo
added a comment - The Jenkins blog post Spring Framework RCE, CVE-2022-22965 says no impact was found in the Jenkins core or plugins. Discussion topic . 
Gautier BEGIN
added a comment - OK, thanks for the info.
So when the blog says no impact on plugins, that means all the plugins published there: Jenkins Plugins
Gautier BEGIN
added a comment - OK, thanks for the info.
So when the blog says no impact on plugins, that means all the plugins published there: Jenkins Plugins 
Can you confirm the plugin is affected?