Jenkins : Plugins affected by the SECURITY-595 fix

Jenkins uses the Stapler web framework for HTTP request handling. Stapler’s basic premise is that it uses reflective access to code elements matching its naming conventions. For example, any public method whose name starts with get, and that has a String, int, long, or no argument can be invoked this way on objects that are reachable through these means. As these naming conventions closely match common code patterns in Java, accessing crafted URLs could invoke methods never intended to be invoked this way.

The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows methods and fields to be excluded from routing. The implementation of that SPI in Jenkins now restricts which getter methods, do* action methods, and fields can be invoked reflectively by Stapler. Further details are available in the documentation:

This change is expected to impact existing functionality in some plugins. The most likely effect is that some URLs now return 404 Not Found. In rare cases, the responses returned might not be 404 Not Found, but still different than expected.

Affected plugins

The table below provides a list of plugin which were affected by the SECURITY-595 fix in Jenkins 2.138.4 and 2.154. "Status" column reflects the current state. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. If possible, include the necessary whitelist entry (or entries) to make the feature work.

More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.

Possibly Unsafe

 Please note that not all whitelist additions listed on this page may be safe to apply.

Plugin NameImpact / behaviorWhitelist additionIssue / pull requestStatus

Git Plugin

/job/<Job Name>/scm/bySHA1/<SHA-1> URL is not accessible

method hudson.model.AbstractProject getScm

n/a

Functionality only available after adding this whitelist entry.

This feature is being removed towards Git Plugin 4.0.