-
Bug
-
Resolution: Unresolved
-
Minor
-
None
The job-dsl-plugin relies on spock-core which relies on ant which is affected by CVE-2020-11979.
https://nvd.nist.gov/vuln/detail/CVE-2020-11979
According to the reporting guidelines, "Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities."
Given that ant is a build tool used to build jars which are then published for consumption, I have no way of knowing if some arbitrary code was injected through temporary files as part of the build process that produces the jars for the job-dsl-plugin.
Thanks for the report jericop. The Job DSL plugin is up for adoption. That means the current maintainer does not have time to work on it. If you'd like a fix for this dependency update, you should consider adopting the Job DSL plugin. Since your organization is using the plugin, it would help your organization to have an active maintainer of the Job DSL plugn.
The Jenkins developer mailing list provides help for new maintainers as they adopt plugins and improve them.