When running Jenkins with the official Docker container, some plugins will pull in detached plugins that have security vulnerabilities and also have newer versions available that could be used instead.
To replicate, you can install https://plugins.jenkins.io/purge-build-queue-plugin# for example. This will pull in a vulnerable version of https://plugins.jenkins.io/pam-auth:
jenkins_1 | INFO: Loading a detached plugin as a dependency: /var/jenkins_home/plugins/pam-auth.jpi jenkins_1 | WARNING: Created /var/jenkins_home/plugins/pam-auth/WEB-INF/lib/classes.jar; update plugin to a version created with a newer harness jenkins_1 | INFO: Took 0ms for Loading plugin PAM Authentication plugin v1.1 (pam-auth) by pool-6-thread-4 jenkins_1 | INFO: Took 0ms for Initializing plugin pam-auth by pool-6-thread-1
According to jglick, this is a bug and not intended behavior.
This might be scoped to just running with Docker but it's the only place I'm able to test and replicate.
- relates to
-
JENKINS-57528 Jenkins in Docker does not install detached plugins when there is no UC data
-
- Resolved
-
