Can someone delete https://plugins.jenkins.io/packageversion/

26 views
Skip to first unread message

Gavin Mogan

unread,
Feb 20, 2023, 1:30:37 PM2/20/23
to Jenkins Developers
26 installs, xss warning and still targeting 1.x. It showed up when I looked up plugins for "version"
and I was wondering why we are keeping it around?

Gavin

Alexander Brandes

unread,
Feb 20, 2023, 6:08:53 PM2/20/23
to Jenkins Developers
I don't think one XSS vulnerability in a plugin with 26 installations is impactful enough to justify a suspension of the plugin.

Someone may always adopt the plugin to modernize it and mitigate the vulnerability.

Daniel Beck

unread,
Feb 21, 2023, 3:26:55 AM2/21/23
to jenkin...@googlegroups.com
On Tue, Feb 21, 2023 at 12:08 AM Alexander Brandes <mc.ca...@gmail.com> wrote:
impactful enough to justify a suspension of the plugin

In particular, exploitation requires the parameter to be shown on a view that doesn't mitigate the vulnerability, of which there are few. There's a good chance nobody is actually affected by this vulnerability.
Reply all
Reply to author
Forward
0 new messages