Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Duplicate
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      We were evaluating a plugin that uses Groovy and discovered the version of
      Groovy it uses has a published security advisory. Digging further we found it
      was actually core Jenkins that provides Groovy. Our analysis:

      ====
      The groovy version in use (1.8.9) does have a security advisory ( https://www.cvedetails.com/cve/CVE-2015-3253/ ). In all likeliness this is not patched; Apache (http://www.groovy-lang.org/security.html ) is hands-off prior to their takeover of 2.4.4. However, this version is not an issue with the plugin itself; the version is specified by Jenkins' POMs. In this case, the plugin uses 1.565.3 and gets groovy 1.8.9 transitively; even the very latest POM/API (1.585) is still at 1.8.9. It follows that every plugin already
      installed utilizing groovy, and likely Jenkins core, is equally vulnerable. The vulnerability can be mitigated, if desired, by setting security policies (groovy is held to those policies just like 'regular' Java).
      ====

      We are asking for Jenkins to upgrade the provided Groovy version

      https://github.com/jenkinsci/jenkins/blob/master/core/pom.xml#L44

        Attachments

          Issue Links

            Activity

            There are no comments yet on this issue.

              People

              • Assignee:
                Unassigned
                Reporter:
                owood Owen Wood
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: