Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73463

job-dsl-plugin affected by CVE-2020-11979

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • job-dsl-plugin
    • None

      The job-dsl-plugin relies on spock-core which relies on ant which is affected by CVE-2020-11979.

      https://nvd.nist.gov/vuln/detail/CVE-2020-11979

      https://github.com/jenkinsci/job-dsl-plugin/blob/e6d655dd5b2874f56af8bf4b99a4d622b752bb98/pom.xml#L54C8-L56C42

       

      According to the reporting guidelines, "Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities."

      Given that ant is a build tool used to build jars which are then published for consumption, I have no way of knowing if some arbitrary code was injected through temporary files as part of the build process that produces the jars for the job-dsl-plugin.

       

            jamietanna Jamie Tanna
            jericop Jerico Pena
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: