Child pages
  • Plugins affected by fix for JEP-200
Skip to end of metadata
Go to start of metadata

For years, the Jenkins project has received reports of remote code execution (RCE) attacks involving Remoting and/or XStream. Typically the attacks involve fairly exotic classes in the Java Platform, or sundry libraries such as Groovy. The Jenkins CERT has responded to such reports reactively, by blacklisting the affected classes or packages. That approach has proven unmaintainable, and in JENKINS-47736 we have switched blacklist to the whitelist.

JEP sponsors and reviewers invested significant time into testing plugins, but there is an obvious risk that particular plugins use types which are not covered in the whitelists. In this document we track such plugins and known issues so that Jenkins administrators can update timely and/or apply workarounds.


  • Workarounds can be applied on both Jenkins administrator and plugin developer sides
  • Workarounds are described in the JEP-200 blogpost

Affected plugins

Includes only plugins which do not have a mitigation in place in Jenkins core already, and so would be expected to not work after upgrading core. Note that this list is not exhaustive. If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. In this list we track only plugins with issues in the production code. Issues in test classes are tracked separately.
More importantly, please file a bug report with the JEP-200 label, if one doesn't exist, to help ensure that the appropriate plugin maintainer is informed.

Plugins hosted in main Jenkins Update Center

Plugin name

Serialization type


Issue / pull request


Priority SorterXStreamUnnecessary serialization of a type from Apache AntPR #42Fixed in 3.6.0
SaltstackRemotingJSONObject serialization in HttpCallablePR #116Fixed in 3.1.4, upgrade.

CloudBees DockerHub Notification


Unnecessary serialization of a JSONObject

PR #16

Fixed in 2.2.1, upgrade.

Project Description SetterXStreamUnnecessary serialization of a CharsetPR #2

Fixed in 1.2

Publish Over CIFSXStreamVarious errors, core functionality is affectedcommitFixed in 0.6

Publish Over Dropbox

XStreamVarious errors, core functionality is affectedJENKINS-48926Fixed in 1.2.2

Publish over FTP

XStreamVarious errors, core functionality is affectedcommitFixed in 1.13

Publish over SSH

XStreamVarious errors, core functionality is affectedJENKINS-48920


Fixed in 1.18
CRX Content Pack DeployerRemotingSerialization of classes from external lib. Execution on agents may be impactedPR #8Fixed in 1.8.1
PRQARemotingSerialization of PRQAComplianceStatus from a 3rd-party library. The plugin won't work on agents.JENKINS-48939Assigned to the vendor, unconfirmed
Nexus PlatformRemotingSuspected error in IQ scans

Fixed in 1.6

Workaround: whitelist entries in PR #17

TestLinkXStreamSerialization of classes from a 3rd-party library

JENKINS-48924, JENKINS-48995, JENKINS-49228

Fixed in 3.13. For TestNG reporting update to Jenkins Core 2.104 is also required

Workaround: whitelist entries in PR #29

TAPXStreamSerialization of classes from a 3rd-party libraryJENKINS-48925

Fixed in 2.2.1

Workaround: whitelist entries in PR #20 

Build Failure AnalyzerXStreamSerialization of classes from a 3rd-party libraryJENKINS-48932Fixed in 1.19.2, Also update Gerrit Trigger to 2.27.2 if it is installed
Gerrit TriggerXStreamSerialization of classes from a 3rd-party libraryJENKINS-48943Fixed in 2.27.2 
Build Name SetterXStreamSerialization of PrintStream over to the disk (for logging purposes)Fixed in 1.6.8
GitHub Pull Request BuilderXStreamSerialization of classes from a 3rd-party GitHub API libraryJENKINS-48950Fixed in 1.40.0
ConfigFileProviderXStreamSerialization of non-whitelisted Java internal classes, confirmed for instances which perform data migration for old buildsJENKINS-48956Fixed in 2.17 and in Jenkins 2.103
OctoPerf Load TestingXStreamSerialization of non-whitelisted Java internal classes

Fixed in Jenkins 2.103

Reverse Proxy AuthXStreamPersistence of caches on the disk due to the plugin defectJENKINS-48970

Fixed in 1.6.0

The release includes many historical changes, please raise issues if you see any regressions.

ArtifactoryRemotingSerialization of classes from 3rd-party libraries (Artifact, etc.). Executions on agents may failJENKINS-48983

Fixed in 2.15.0

Workaround: N/A (too many affected classes), upgrade is required

Anchore Container Image ScannerXStreamSerialization of Guava classes and JSONObjects to the diskJENKINS-48989Fixed in 1.0.13
Build Monitor ViewIntegration


when retrieving actions when Build Failure Analyzer 2.27.2 is installed

JENKINS-48984confirmed regression, but not JEP-200
Android Lint (and possibly other plugins based on Analysis Core)RemotingLint Publisher serializes non-whitelisted classes.JENKINS-49016

Fixed in Jenkins 2.103

Pipeline: AWS

XStream and Remoting

Serialization of non-whitelisted Java internal classes


Fixed in 1.21
PVCS SCMXStreamSerialization of org.apache.commons.logging.Log to the disk


Fixed in 1.2, upgrade.

Extensible Choice Parameter

XStreamSerialization of java.util.RandomAccessSubList to the disk in the Extensible Choice Test Area Parameter


Fixed in 1.4.2

Workaround: Whitelist entries in PR #33

RunDeckXStreamSerialization of classes from a 3rd-party libraryJENKINS-49074

Fixed in 3.6.4

Workaround: Whitelist entries in PR #33 

GitHub IntegrationXStreamSerialization of non-whitelisted Java internal classesIssue #253

Fixed in Jenkins Core 2.104

Workaround: Whitelist entries in Core PR #3253

RabbitMQ ConsumerXStreamSerialization of classes from a 3-rd party libraryJENKINS-49083Fixed in 2.8
Maven IntegrationXStreamSerialization of cachesJENKINS-49089Fixed in 3.1
RemotingSerialization of Maven model objectsJENKINS-50251

Pending PR 115

Workaround: avoid ciNotification

Cucumber JSON Test ReportingRemotingSerialization of classes from a 3-rd party libraryJENKINS-49101

Fixed in 0.10.1

Workaround: whitelist entries in PR #12 & PR #13

MesosXStreamSerialization of java.util.concurrent.locks.ReentrantLock to the disk


Fixed in 0.15.1

XStreamSerialization of JSONObject when "MesosCloud > Slave Info" is definedJENKINS-50303confirmed
Sonar Quality GatesXStreamSerialization of HttpClient and HttpClientContext classJENKINS-49130Fixed in 1.2.0

Build Flow Plugin

XStreamSerialization of ReentrantLock and other utility classes


Won't do

The plugin is deprecated and depublished due to the known security issues (advisory). JEP-200 maintainers do not plan to offer a fix though somebody else may do that.

Last ChangesXStreamUncorrect caching of SimpleDateFormatJENKINS-49176Fixed in 2.6
Job DSLXStreamSerialization of generated views. No impact on build execution.JENKINS-49175

Fixed in 1.67

Pipeline :: DeclarativeXStreamStorage of BigDecimal and BigInteger in AST model when values like "0.1" are declared in the Pipeline definitionJENKINS-49070

Fixed in Jenkins Core 2.104. Also: PR #239.

OWASP Dependency-CheckRemotingSerialization of classes from 3rd-party libsPR #20Fixed in 3.1.1


Remoting / XStreamSerialization of non-whitelisted Java-internal classes


Fixed in 1.2

Workaround: whitelist entries in PR #2

GitHub Autostatus

XStreamSerialization of 3rd-party classes from GitHub API


Fixed in 2.0
S3XStreamSerialization of non-whitelisted com.amazonaws.regions.Region in S3 Publisher


Fixed in 0.11.0

Workaround: whitelist entries in PR #112

Fortify on Demand Uploader

XStreamSerialization of 3rd-party classes to the disk


Fixed in 3.0.7

Workaround: whitelist entries there

CVSRemotingSerialization of non-whitelisted Java-internal classesJENKINS-49574

Fixed in 2.14

Workaround: Whitelist the following classes OR Restart Jenkins between each build (only the first build works).

Matrix Configuration Parameter

XStreamSerialization of non-whitelisted Guava collection classes


 Fixed in 1.3.0

Workaround: Whitelist classes in PR #23


XStreamSerialization of parser classes, which use fields from 3-rd party libraries.


Fixed in 1.3.0

Workaround: N/A

Pipeline: API

XStreamThe plugin serializes blacklisted PowerAssertionError type in the case of user-defined assertions in Pipeline scripts.


Fixed in 2.26


Filesystem List ParameterXStreamSerialization of non-whitelisted Java-internal classesJENKINS-49649

Fixed in 0.0.4

Unreliable SlaveXStreamSerialization of InternetAddress classJENKINS-49650

Assigned to the maintainer

Workaround: Whitelist  javax.mail.internet.InternetAddress

DoktorXStreamSerialization of non-whitelisted classes from Kotlin standard template libraryJENKINS-49699

Assigned to the maintainer

Workaround: N/A

PackerRemoting & XStreamSerialization of blacklisted JSONObject classesJENKINS-49715

Fixed in 1.5

Workaround: N/A, whitelisting of JSONObject is not recommended

Openstack Heat

XStreamSerialization of blacklisted JSONObject classes to the disk in the build step configuration.


Assigned to the maintainer

Workaround: N/A, whitelisting of JSONObject is not recommended

PTC Integrity CMXStreamAccidental serialization of Derby connection information.JENKINS-50001Release Pending, PR #30
PerformanceXStreamSerialization of cached DateFormatter classes in the Global configuration. Limited impact on users.


Fixed in 3.6, PR #162
Google OAuth Credentials (and dependent plugins)XStreamSerialization of non-whitelisted org.joda.time classes in RemotableGoogleCredentials and child classes


Contacted maintainers, blocked by CLA
AWS CodeBuildXStreamSerialization of non-whitelisted 3rd-party classesJENKINS-50264

Fixed in 0.20

Workaround: whitelist entries in PR #7

Cucumber Living DocumentationXStreamSerialization of Logger classes to the diskJENKINS-50271Fix pending, PR #21
MonitoringRemotingSerialization of model objects over the channel in old versions of the pluginJENKINS-50280

Fixed in 1.71.0

Workaround: Jenkins core includes whitelist for versions 1.68.0+, but older versions need update

Test In Progress

XStreamSerialization of model objects from internal library, which is not properly whitelisted



EC2 Fleet

XStreamPersistency of EC2FleetCloud cache objects on the disk


Fix pending, PR #24

Other 3rd-party plugins

This section tracks reports to plugins, which are not available in official Jenkins update centers. For these plugins Jenkins JEP-200 do NOT commit to investigate defects (especially for closed-source plugins).

Plugin name

Serialization type


Issue / pull request


CA Release AutomationXStreamSerialization of JSONObject classes.JENKINS-49431Vendor notified
Nexus Jenkins PluginXStreamSerialization of non-whitelisted Server Configuration class in "Insight Link"JENKINS-50257 

Other affected components/configurations

In addition to Jenkins plugin, some other components have been affected by JEP-200.

Jenkins running in Apache Tomcat web containerJenkins 2.102 and later could fail to start or run properly when loaded inside certain containers, including old versions of Tomcat.

JENKINS-49543, JENKINS-49147

Fixed in 2.107.1/2.108

Workaround: Use the latest Apache Tomcat server (8.0.50 or above)

Write a comment…