• Type: Patch
• Resolution: Unresolved
• Priority: Major
• Component/s: build-metrics-plugin, maven-metadata-plugin, release-helper-plugin
• Labels:

  • plugin
• Environment:

  Non-Prod and Prod

1. 

   SECURITY-2394-Still=alerting.png

   61 kB

   2023-02-05 16:10

[JENKINS-69026] Latest Plugins Versions having Securities Vulnerabilities issues involved

Sudhir Nikhade created issue - 2022-07-15 09:36

Sudhir Nikhade made changes - 2022-07-15 09:38

Description

Original: Hello Team,       We are using following plugins with its latest versions. But as we can see, there are security vulnerabilities involved in these latest plugins as well. We needed these plugins but  We are concerned about these plugins versions issues. So , can you please provide any fix on these version or please suggest how to handle this case.   *Plugins List:* global-build-stats plugin (global-build-stats): 244.v27c8a_2e50a_34 Maven Metadata Plugin for Jenkins CI server (maven-metadata-plugin): 2.2 Performance Plugin (performance): 3.20 Release Helper Plugin (release-helper): 1.3.3 build-metrics (build-metrics): 1.3   Thanks, Sudhir

New: Hello Team,       We are using following plugins with its latest versions. But there are security vulnerabilities involved on these plugin's latest versions and there is no fix available as of now. We needed these plugins but  \We are concerned about these plugins version issues. So , can you please provide any fix on these version or please suggest how to handle this case.   *Plugins List:* global-build-stats plugin (global-build-stats): 244.v27c8a_2e50a_34 Maven Metadata Plugin for Jenkins CI server (maven-metadata-plugin): 2.2 Performance Plugin (performance): 3.20 Release Helper Plugin (release-helper): 1.3.3 build-metrics (build-metrics): 1.3   Thanks, Sudhir

Collapse comment: Mark Symons added a comment - 2022-07-26 15:22, Edited by Mark Symons - 2022-08-05 10:19

Mark Symons added a comment - 2022-07-26 15:22 - edited

A fix for SECURITY-2394 (CVE-2021-21701) was merged on 7th April for performance-plugin and just needs to be released.

See:  [SECURITY-2394] Prevent XXE  in Github

 

Expand comment: Mark Symons added a comment - 2022-07-26 15:22, Edited by Mark Symons - 2022-08-05 10:19

Mark Symons added a comment - 2022-07-26 15:22 - edited A fix for SECURITY-2394 ( CVE-2021-21701 ) was merged on 7th April for performance-plugin and just needs to be released. See:   [SECURITY-2394] Prevent XXE   in Github  

Mark Symons made changes - 2022-07-26 15:22

Remote Link

New: This issue links to "Merged Fix for SECURITY-2394 (Web Link)" [ 28002 ]

Collapse comment: Jan Duris added a comment - 2022-08-04 08:40

Jan Duris added a comment - 2022-08-04 08:40

Hello guys, is there a plan to release this fix in near future? A lot of people are waiting for fix of that vulnerability

Expand comment: Jan Duris added a comment - 2022-08-04 08:40

Jan Duris added a comment - 2022-08-04 08:40 Hello guys, is there a plan to release this fix in near future? A lot of people are waiting for fix of that vulnerability

Collapse comment: Hemanth SD added a comment - 2022-08-11 04:58

Hemanth SD added a comment - 2022-08-11 04:58

Hi guys, It will be great if we can get the new release with the vulnerability fix. community will use the performance trend feature which is really helpful in pipeline integration.

Expand comment: Hemanth SD added a comment - 2022-08-11 04:58

Hemanth SD added a comment - 2022-08-11 04:58 Hi guys, It will be great if we can get the new release with the vulnerability fix. community will use the performance trend feature which is really helpful in pipeline integration.

Collapse comment: Sudhir Nikhade added a comment - 2022-09-02 06:59

Sudhir Nikhade added a comment - 2022-09-02 06:59

Hello , Do you have any update on it Please?

Expand comment: Sudhir Nikhade added a comment - 2022-09-02 06:59

Sudhir Nikhade added a comment - 2022-09-02 06:59 Hello , Do you have any update on it Please?

Mark Symons made changes - 2023-02-05 16:10

Attachment

New: SECURITY-2394-Still=alerting.png [ 59928 ]

Collapse comment: Mark Symons added a comment - 2023-02-05 16:10

Mark Symons added a comment - 2023-02-05 16:10

Release v916.v0f63142e4c07 (3rd February 2023) incorporates the fix for SECURITY-2394

However, on 5th February the there are still warnings displayed on jenkins site and within Jenkins itself.

What can bedone to address this?

 

Expand comment: Mark Symons added a comment - 2023-02-05 16:10

Mark Symons added a comment - 2023-02-05 16:10 Release v916.v0f63142e4c07 (3rd February 2023) incorporates the fix for SECURITY-2394 However, on 5th February the there are still warnings displayed on jenkins site and within Jenkins itself. What can bedone to address this?  

Collapse comment: Alexander Straube added a comment - 2023-02-06 07:20

Alexander Straube added a comment - 2023-02-06 07:20

msymons Like mentioned in https://github.com/jenkinsci/performance-plugin/pull/205 there's a PR pending (jenkins-infra/update-center2#683) which will take care of removing the warning.

Expand comment: Alexander Straube added a comment - 2023-02-06 07:20

Alexander Straube added a comment - 2023-02-06 07:20 msymons Like mentioned in https://github.com/jenkinsci/performance-plugin/pull/205 there's a PR pending ( jenkins-infra/update-center2#683 ) which will take care of removing the warning.

Load more newer events