This is not an issue tracker replacement
If you suspect that you found a vulnerability in a plugin, please report it to the Jenkins security team as described here: https://jenkins.io/security/#reporting-vulnerabilities
This page lists Jenkins plugins that implement scripting related features, and the state of their integration with the Script Security plugin (if needed). While it's possible for plugins to be safe to use without integrating with Script Security (e.g. only enable scripting features when Jenkins security is disabled, or limit features properly to users with Run Scripts permission), integrating Script Security is a common, proven approach.
For each listed plugin, the following information is tracked:
- The state of the vulnerability in the current release:
- Never indicates the plugin has not been found to be affected by a major scripting related vulnerability, despite offering scripting related features, or has been integrated with Script Security plugin from the start.
- Fixed indicates that the plugin used to have a scripting-related vulnerability, that has been fixed and released (typically by integrating with Script Security).
- Admin Only indicates that the plugin does not distinguish properly between Administer and Run Scripts permission, which is only relevant in specific situations, like hosted Jenkins environments. While this is, strictly speaking, a vulnerability, most Jenkins administrators will not be affected.
- Yes indicates that current releases of this plugin are considered to be affected by a known, public scripting related security vulnerability.
More information:
- 2017-04-10 Security Advisory publishing several scripting-related security vulnerabilities
- Announcement blog post to security advisory above
- https://github.com/jenkins-infra/backend-update-center2 is the update center generator, containing the data over which plugins had their distribution suspended due to a vulnerability, and for which plugins warnings have been issued.
- Script Security plugin on the Jenkins Plugins Index
Plugin ID | Plugin Name | Scripting | Tracking Issue | Script Security | Comments |
---|---|---|---|---|---|
AdaptivePlugin | Adaptive DSL | Yes | SECURITY-457 | - | |
app-detector | Application Detector | Admin Only (1.0.2+)
| SECURITY-494 | - | |
artifactdeployer | Artifact Deployer | Yes | SECURITY-294 | - | |
build-flow-plugin | Build Flow | Yes | SECURITY-293 | - | |
cas-plugin | CAS | Fixed | SECURITY-488 | 1.4.0, released 2017-05-09 | |
cas1 | CAS protocol version 1 | Yes | SECURITY-491 | - | |
claim | Claim | Fixed | JENKINS-43811 | 2.10, released 2017-11-08 | |
cvs-tag | CVS Tagging | Yes | SECURITY-459 | - | |
database-mysql | MySQL Database | Never | - | - | |
dynamicparameter | Dynamic Parameter | Yes | SECURITY-462 | - | |
email-ext | Email Extension | Fixed | SECURITY-257 | 2.57.2, released 2017-04-10 | |
envinject | Environment Injector | Fixed | SECURITY-256 | 2.0, released 2017-04-10 | |
extended-choice-parameter | Extended Choice Parameter | Fixed | SECURITY-187 | 1.63, released 2016-04-05 | |
extensible-choice-parameter | Extensible Choice Parameter | Fixed | SECURITY-123 | 2.4.0, released 2017-04-10 | |
extreme-notification | Extreme Notification | Admin Only | SECURITY-492 | - | |
grails | Grails | Yes | SECURITY-458 | - | |
groovy | Groovy | Fixed | SECURITY-292 | 2.0, released 2017-04-10 | |
groovy-label-assignment | Groovy Label Assignment | Fixed | JENKINS-27535 | 1.2.0, released 2016-05-08 | |
groovy-postbuild | Groovy Postbuild | Fixed | JENKINS-15212 | 2.0, released 2014-09-21 | |
groovyaxis | GroovyAxis | Yes | SECURITY-460 | - | |
integrity-plugin | PTC Integrity CM | Yes | SECURITY-176 | - | |
job-dsl | Job DSL | Fixed | SECURITY-369 | 1.60, released 2017-04-10 | |
lockable-resources | Lockable Resources | Fixed | SECURITY-368 | 2.0, released 2017-04-10 | |
matrix-combinations-parameter | Matrix Combinations Parameter | Never | - | - | Depends on Matrix Project for this functionality |
matrix-project | Matrix Project | Fixed | SECURITY-125 | 1.2.1 and 1.4.1, released 2015-02-27 | |
naginator | Naginator | Never | - | - | |
ontrack | Ontrack | Yes | SECURITY-495 | - | |
postbuildscript | Post-Build Script | Yes | SECURITY-295 | - | |
proc-cleaner-plugin | Process Cleaner | Yes | SECURITY-489 | - | |
reactor-plugin | Reactor | Yes | SECURITY-487 | - | |
script-scm | Script SCM | Yes | SECURITY-461 | - | |
scriptler | Scriptler | Admin Only | SECURITY-367 | - | |
scripttrigger | ScriptTrigger | Yes | SECURITY-456 | - | |
seed | Seed | Yes | SECURITY-486 | - | |
shared-objects | Shared Objects | Admin Only | SECURITY-493 | - | |
splunk-devops | Splunk | Fixed | SECURITY-479 | 1.5.3, released 2017-07-25 | |
splunk-devops-extend | Splunk Extension | Fixed | SECURITY-496 | 1.5.0, released 2017-04-16 | |
svn-tag | Subversion Tagging | Yes | SECURITY-298 | - | |
tcl | tcl | Yes | SECURITY-379 | - | |
uno-choice | Active Choices | Fixed | JENKINS-28732 | 1.5.1, released 2016-11-11 | |
warnings | Warnings | Fixed | SECURITY-297 | 4.61, released 2017-04-10 | |
workflow-cps | Pipeline: Groovy | Never | - | - | This includes the Pipeline suite of plugins more broadly. |
youtrack-plugin | Youtrack | Yes | SECURITY-464 | - |