Understanding Jenkins Core Vulnerabilities in plugin s

Niv Keidan

unread,

Feb 22, 2022, 1:25:53 AM2/22/22

to Jenkins Developers

Hello everyone.

I am trying to understand the impact of Jenkins core security vulnerabilities on plugin usage.

Lets do this with an example:

I am running Jenkins 2.319.3 and using a plugin that has 2.277.4 defined as <jenkins.version> in its pom.xml.

Am I exposed to the vulnerabilities in 2.277.4?

Does it depend on where the vulnerability actually is in the code? Is some core code compiled along with the plugin?

If someone could explain a bit on how compiling and running plugins works - it would be very helpful.

Thank you very much.

Daniel Beck

unread,

Feb 22, 2022, 3:11:37 AM2/22/22

to jenkin...@googlegroups.com

On Tue, Feb 22, 2022 at 7:25 AM Niv Keidan <niv.k...@veertu.com> wrote:

I am running Jenkins 2.319.3 and using a plugin that has 2.277.4 defined as <jenkins.version> in its pom.xml.
Am I exposed to the vulnerabilities in 2.277.4?

No, this only defines the minimum compatible version. The same applies to dependencies to other plugins. Only bundled libraries (hpi/jpi files are just zip, open it and look inside) matter. That's why Jenkins doesn't show security warnings to admins when you update the affected component.

Tell your security scanner vendor to improve their product to not believe everything the pom.xml says.

I'm curious, did a big vendor release some nonsense? This is the third time this has come up in ~4 days.

Niv Keidan

unread,

Feb 22, 2022, 3:36:37 AM2/22/22

to Jenkins Developers

Thanks for the info, very helpful.

And as to your question, no. Must be a coincidence. This has come up on our end by simply reviewing the current status.

Cheers.

Reply all

Reply to author

Forward