Child pages
  • Plugins affected by the SECURITY-534 fix

Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata

Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised of several view fragments, enabling plugins to extend existing views with more content.

In some cases attackers could directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view.

The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows preventing views from being rendered. The implementation of that SPI in Jenkins now prevents view fragments from being rendered. Further details are available in the developer documentation.

This change is expected to impact existing functionality in some plugins. The most likely effect is that some URLs now return 404 Not Found. In rare cases, the responses returned might not be 404 Not Found, but still different than expected.

Affected plugins

The table below provides a list of plugin which were affected by the SECURITY-534 fix in Jenkins 2.176.2 and 2.186. "Status" column reflects the current state. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. If possible, include the necessary whitelist entry (or entries) to make the feature work.

More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.

Plugin NameImpact / behaviorWhitelist additionIssue / Pull RequestStatus
gerrit-trigger-plugin"Data Error" when viewing Gerrit Server listcom.sonyericsson.hudson.plugins.gerrit.trigger.GerritManagement serverStatuses

JENKINS-58715 - Getting issue details... STATUS

Fixed in 2.29.0
  • No labels