oss-sec mailing list archives
Re: Multiple vulnerabilities in Jenkins plugins
From: Henri Salo <henri () nerv fi>
Date: Thu, 13 Apr 2023 23:36:27 +0300
On Thu, Apr 13, 2023 at 01:36:14PM -0400, Demi Marie Obenour wrote:
What is the reason for the large number of unfixed vulnerabilities? To me, this seems like an argument for not using Jenkins (or at least its plugins) at all. -- Sincerely, Demi Marie Obenour (she/her/hers)
It's better for organizations to be aware of the vulnerabilities and risks related to used software. Sometimes it is challenging to get the author/team to fix the security issues (busy/unresponsive/miscommunication etc). This is very common with plugins in different software as there are large number of developers. It's better for users and community to disclose the issues if no fix is provided as plugins can be disabled, WAF can be configured etc. -- Henri Salo
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 12)
- Re: Multiple vulnerabilities in Jenkins plugins Demi Marie Obenour (Apr 13)
- Re: Multiple vulnerabilities in Jenkins plugins Henri Salo (Apr 13)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 16)
- Re: Multiple vulnerabilities in Jenkins plugins Demi Marie Obenour (Apr 13)