[JIRA] (JENKINS-61666) Outdated/vulnerable dependency (commons-io)

[foundation-security-members@cloudbees.com (JIRA)]

CloudBees Foundation Security created an issue

Jenkins / JENKINS-61666 Outdated/vulnerable dependency (commons-io) Issue Type: Bug Assignee: Andrey Stroilov Components: google-oauth-plugin Created: 2020-03-24 13:33 Priority: Minor Reporter: CloudBees Foundation Security The plugin includes a library (commons-io) with a vulnerability. Please update it to 2.6. In addition to that, a second vulnerability is present in 2.6 on the method FileNameUtils.normalize. As the correction is planned for 2.7 but this version is not yet released, please ensure you are not using this method in your code and provide your finding in this ticket. Ticket to follow the second vulnerability: https://issues.apache.org/jira/browse/IO-559 Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to: avoid security reports warning about that avoid future risky uses of the library that may exploit the vulnerability If you like, you can use the bom approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/ Thank you. by Félix Queiruga Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[foundation-security-members@cloudbees.com (JIRA)]

CloudBees Foundation Security updated an issue

Jenkins / JENKINS-61666 Outdated/vulnerable dependency (commons-io)

Change By: CloudBees Foundation Security Priority: Minor Major

Add Comment