JDK parameter plugin

[s.p...@gmail.com]

There is a STored XSS vulnerability for the JDK Parameter plugin.We use this plugin to specify the JDK version for our Builds compilation. Is there any plans to upgrade the plugin or can I use the any other plugin ? TIA

[Mark Waite]

On Monday, August 29, 2022 at 11:20:25 AM UTC-8 you wrote:

There is a STored XSS vulnerability for the JDK Parameter plugin.We use this plugin to specify the JDK version for our Builds compilation. Is there any plans to upgrade the plugin or can I use the any other plugin ? TIA

The JDK parameter plugin was last released 9 years ago.  There have only been three pull requests to the plugin since the 1.0 release 9 years ago.  I've seen no mention from anyone of any plan to fix that vulnerability or to modernize the plugin. 

If the plugin matters to your employer, you could ask your employer to allow you or one of your colleagues to maintain the plugin.  That would meet your need for the plugin and would help the other 4000+ installations of the plugin.

A five part video series on modernizing a Jenkins plugin is available.  There is also a 3 part video series that illustrates how to fix a security vulnerability.  If you prefer a written tutorial, see the "Modernizing a Jenkins plugin" google doc.

Mark Waite