-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
Steps
- Visit a jenkins that has the Global Variable String Parameter plugin installed
- If the plugin isn't disabled, visit the plugin manager, disable it, and restart jenkins
- Visit jenkins again (if you had to restart it)
- Click the at the top of the jenkins
- See:
Warnings have been published for the following currently installed components:Global Variable String Parameter 1.2 Stored XSS vulnerability - Click Go to plugin manager (/pluginManager/)
- Click Installed (/pluginManager/installed)
- Type a substring of the plugin name to find it, e.g. string:
- Note that the plugin in question is clearly disabled
- File ticket
Expected results
- If a plugin is disabled, I don't need to see a shield warning me about the plugin. It's sufficient to see the warning in the Installed page – which should be more than enough to block me from carelessly re-enabling a vulnerable plugin.
- The message should be changed to say:
Warnings have been published for the following currently enabled components: