Open jensdotbruggeman opened 2 years ago
Hi @jensdotbruggeman,
Thank you for raising this issue!
We do acknowledge and start investigating on it. I further request you to share few details:
Here is the release link where you can find list of vulnerabilities with each plugin release: https://mvnrepository.com/artifact/org.jenkins-ci.plugins/jquery?repo=jenkins-releases https://mvnrepository.com/artifact/org.jenkins-ci.plugins/jquery/1.12.4-1 (for latest)
Thanks again for sharing!
Regards, Nikhil Diwan
hi @diwannikhil ,
Thank you for your feedback.
We received an external audit on our tools and it pointed out that our Jenkins instance is serving an old version of jQuery jQuery 1.12.4 3.6.0 vulnerable
As the version of jQuery is (very) old, it contains a number of known vulnerabilities.
Is the dependency of jQuery absolutely required? Or can the dependency be upgraded?
Best regards, Jens
Hi @jensdotbruggeman,
Yes, jQuery dependency is required for this plugin.
We have got this issue in our tasks list. We will be upgrading jQuery to latest 3.x version, since it is a major upgrade to jQuery3, so it will also require thorough testing.
We will keep everyone posted here about further update on this issue. Thanks again!
Regards, Nikhil Diwan
Hello @diwannikhil ,
Thanks for your update. Our scans also detect that Xray is the only plugin (from our set) depending on Jquery plugin ( which is not updated for 3 years now).
Best regards, João Fernandes
Any news on this update? Our IT Security requests to upgrade this dependency.
Hi @diwannikhil, any news on this update? Our IT Security requests to upgrade this dependency.
What feature do you want to see added?
Our internal security scan reveals that our Jenkins instance contains a jQuery vulnerability. This jQuery dependency was installed by installation of "XRay Connector plugin".
Can this dependency be upgraded or removed?
Thank you for your assistance
Jens
Upstream changes
No response