-
Patch
-
Resolution: Unresolved
-
Major
-
Non-Prod and Prod
Hello Team,
We are using following plugins with its latest versions. But there are security vulnerabilities involved on these plugin's latest versions and there is no fix available as of now. We needed these plugins but \We are concerned about these plugins version issues. So , can you please provide any fix on these version or please suggest how to handle this case.
Plugins List
- global-build-stats plugin (global-build-stats): 244.v27c8a_2e50a_34 - last released 4 months ago, open vulnerability resolved in latest release
- Performance Plugin (performance): 3.20 - last released 2 months ago, no vulnerabilities open
- Maven Metadata Plugin for Jenkins CI server (maven-metadata-plugin): 2.2 - last released a year ago, 2 vulnerabilities open
- Release Helper Plugin (release-helper): 1.3.3 - last released 5 years ago, 1 vulnerability open
- build-metrics (build-metrics): 1.3 - last released 7 years ago, 3 vulnerabilities open
Thanks,
Sudhir
- links to
[JENKINS-69026] Latest Plugins Versions having Securities Vulnerabilities issues involved
Jan Duris
added a comment - Hello guys, is there a plan to release this fix in near future? A lot of people are waiting for fix of that vulnerability 
Jan Duris
added a comment - Hello guys, is there a plan to release this fix in near future? A lot of people are waiting for fix of that vulnerability 
Hemanth SD
added a comment - Hi guys, It will be great if we can get the new release with the vulnerability fix. community will use the performance trend feature which is really helpful in pipeline integration.
Hemanth SD
added a comment - Hi guys, It will be great if we can get the new release with the vulnerability fix. community will use the performance trend feature which is really helpful in pipeline integration. 
Mark Symons
added a comment - Release v916.v0f63142e4c07 (3rd February 2023) incorporates the fix for SECURITY-2394
However, on 5th February the there are still warnings displayed on jenkins site and within Jenkins itself.
What can bedone to address this?
Mark Symons
added a comment - Release v916.v0f63142e4c07 (3rd February 2023) incorporates the fix for SECURITY-2394
However, on 5th February the there are still warnings displayed on jenkins site and within Jenkins itself.
What can bedone to address this?
Alexander Straube
added a comment - msymons Like mentioned in https://github.com/jenkinsci/performance-plugin/pull/205 there's a PR pending (jenkins-infra/update-center2#683) which will take care of removing the warning.
Alexander Straube
added a comment - msymons Like mentioned in https://github.com/jenkinsci/performance-plugin/pull/205 there's a PR pending ( jenkins-infra/update-center2#683 ) which will take care of removing the warning. I've removed performance plugin and global build stats plugin from the components list because they no longer have vulnerabilities in their most recent release.
The other three plugins that are mentioned will need to be adopted by someone, fixed, and a new release created. Asking others to fix the issue only works when there is someone willing to fix the issue. Since there is no one willing to fix the issue, then one of the affected users should adopt the plugin or persuade someone in their company to adopt the plugin.
If adopting the plugin is not an option, then the other alternative is to remove the plugin from your installation.
A fix for SECURITY-2394 (CVE-2021-21701) was merged on 7th April for performance-plugin and just needs to be released.
See: [SECURITY-2394] Prevent XXE in Github