[JIRA] (JENKINS-61510) Outdated/vulnerable dependency (org.apache.httpcomponents:httpclient)

[foundation-security-members@cloudbees.com (JIRA)]

CloudBees Foundation Security created an issue

Jenkins / JENKINS-61510 Outdated/vulnerable dependency (org.apache.httpcomponents:httpclient) Issue Type: Bug Assignee: Evan Brown Components: google-compute-engine-plugin Created: 2020-03-18 15:43 Priority: Major Reporter: CloudBees Foundation Security The library "org.apache.httpcomponents:httpclient" (4.0.1) included in google-compute-engine-plugin contains a vulnerability. Please update the plugin to use the https://github.com/jenkinsci/apache-httpcomponents-client-4-api-plugin. It's currently included through google-http-client (pom.xml#L131-L135). CVE-2014-3577 CVE-2011-1498 CVE-2012-6153 Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to: avoid security reports warning about that avoid future risky uses of the library that may exploit the vulnerability Thank you. by Ramón León Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[foundation-security-members@cloudbees.com (JIRA)]

CloudBees Foundation Security updated an issue

Jenkins / JENKINS-61510 Outdated/vulnerable dependency (org.apache.httpcomponents:httpclient)

Change By: CloudBees Foundation Security

The library "org.apache.httpcomponents:httpclient" (4.0.1) included in google-compute-engine-plugin contains a vulnerability. Please update the plugin to use the https://github.com/jenkinsci/apache-httpcomponents-client-4-api-plugin. It's currently included through google-http-client (pom.xml#L131-L135).

* CVE-2014-3577 * CVE-2011-1498 * CVE-2012-6153

Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to:

* avoid security reports warning about that * avoid future risky uses of the library that may exploit the vulnerability If you like, you can use the *_bom_* approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/ Thank you. _by_ [_Ramón León_|https://issues.jenkins-ci.org/secure/ViewProfile.jspa?name=MRamonLeon]

Add Comment

[foundation-security-members@cloudbees.com (JIRA)]

CloudBees Foundation Security updated an issue

Jenkins / JENKINS-61510 Outdated/vulnerable dependency (org.apache.httpcomponents:httpclient) Change By: CloudBees Foundation Security

The library "org.apache.httpcomponents:httpclient" (4.0.1) included in google-compute-engine-plugin contains a vulnerability. Please update the plugin to use the https://github.com/jenkinsci/apache-httpcomponents-client-4-api-plugin.

It's currently included through google-http-client ( [ pom.xml#L131-L135 |https://github.com/jenkinsci/google-compute-engine-plugin/blob/b34f0d269b81919255ad988946b671fba9c8731b/pom.xml#L131-L135] ).

* CVE-2014-3577 * CVE-2011-1498 * CVE-2012-6153 Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to: * avoid security reports warning about that * avoid future risky uses of the library that may exploit the vulnerability If you like, you can use the *_bom_* approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/ Thank you. _by_ [_Ramón León_|https://issues.jenkins-ci.org/secure/ViewProfile.jspa?name=MRamonLeon]

Add Comment