We were evaluating a plugin that uses Groovy and discovered the version of
Groovy it uses has a published security advisory. Digging further we found it
was actually core Jenkins that provides Groovy. Our analysis:
The groovy version in use (1.8.9) does have a security advisory ( https://www.cvedetails.com/cve/CVE-2015-3253/ ). In all likeliness this is not patched; Apache (http://www.groovy-lang.org/security.html ) is hands-off prior to their takeover of 2.4.4. However, this version is not an issue with the plugin itself; the version is specified by Jenkins' POMs. In this case, the plugin uses 1.565.3 and gets groovy 1.8.9 transitively; even the very latest POM/API (1.585) is still at 1.8.9. It follows that every plugin already
installed utilizing groovy, and likely Jenkins core, is equally vulnerable. The vulnerability can be mitigated, if desired, by setting security policies (groovy is held to those policies just like 'regular' Java).
We are asking for Jenkins to upgrade the provided Groovy version