CVE-2023-50164 Struts question
86 views
Skip to first unread message
the.n...@gmail.com
Dec 21, 2023, 12:29:10 PM12/21/23
to Jenkins Developers
Hi Jenkins,
I was wondering whether there is a way of determining which plugins depend on Struts 2 or 3, to deal with this CVE. It is not clear in the list of plugins.
It is also unclear, from a development standpoint, what to do as a plugin provider. We have a dependency on Struts 1.14 but cannot control what users do.
Thanks,
Randall
Basil Crow
Dec 21, 2023, 1:12:21 PM12/21/23
to jenkin...@googlegroups.com
My unofficial answer: Jenkins uses Stapler as its web framework (not
Struts), so I strongly suspect there are zero Jenkins plugins
distributed on our Update Center that bundle Struts 2 or 3. For an
official answer, contact the Security Team at:
https://www.jenkins.io/security/team/
Struts), so I strongly suspect there are zero Jenkins plugins
distributed on our Update Center that bundle Struts 2 or 3. For an
official answer, contact the Security Team at:
https://www.jenkins.io/security/team/
wfoll...@cloudbees.com
Dec 22, 2023, 10:26:32 AM12/22/23
to Jenkins Developers
Hello Randall,
If it's for a single plugin, the easiest way is to use `mvn dependency:tree` to check if you are using Struts or not. Usually if you include Struts indirectly (through transitive dependencies) there is low likelihood that you are effectively using it. Most of the Jenkins plugins are using only Stapler for their HTTP request handling, without any other framework (like Struts).
If you want to know about an instance of Jenkins with its plugins, I would recommend to use a regular security scanner (SCA) to see if they are finding anything there.
Now, if you are not sure, you can still contact the security team, but I will ask you to provide more details, like which plugin, which CVE, and your doubts.
Best regards,
Wadeck Follonier
Jenkins Security officer
Daniel Beck
Feb 27, 2024, 2:57:18 AM2/27/24
to jenkin...@googlegroups.com
On Fri, Dec 22, 2023 at 4:26 PM 'wfoll...@cloudbees.com' via Jenkins Developers <jenkin...@googlegroups.com> wrote:
Now, if you are not sure, you can still contact the security team, but I will ask you to provide more details, like which plugin, which CVE, and your doubts.
After discussing with Wadeck, I'd like to clarify our position:
The Jenkins security team does not generally answer questions about publicly known vulnerabilities in libraries that may not even be used anywhere in Jenkins. Any number of commercial or free dependency scanners can provide an answer. This basically falls into the category of compliance question/questionnaire (see the highlighted block here).
For vulnerable libraries determined to actually be dependencies, per our reporting guidelines, we do not consider vulnerabilities in dependencies to be vulnerabilities in Jenkins unless reporters can demonstrate exploitation, or at least explain how it might work (or it's really obvious). Unfortunately we get too many folks just dumping unfiltered dependency scanner output into our issue tracker, so we need to be pretty restrictive here due to our limited capacity. Similar limitations apply to reports of vulnerabilities in OS libraries in Docker images.
Reply all
Reply to author
Forward
0 new messages