Re: Multiple vulnerabilities in Jenkins plugins

[Solar Designer <solar () openwall com>]

On Wed, Oct 29, 2025 at 04:19:55PM +0100, Sebastian Pipping wrote:
> On 10/29/25 14:03, Daniel Beck wrote:
> > Additionally, we announce unresolved security issues in the following
> > plugins:
> >
> > * Azure CLI Plugin
> > * ByteGuard Build Actions Plugin
> > * Curseforge Publisher Plugin
> > * Eggplant Runner Plugin
> > * Extensible Choice Parameter Plugin
> > * JDepend Plugin
> > * Nexus Task Runner Plugin
> > * OpenShift Pipeline Plugin
> > * Publish to Bitbucket Plugin
> > * Start Windocks Containers Plugin
> > * Themis Plugin
>
> For anyone else who also wonders about the combination of announcing 
> without a fix (and the motivation or story behind it), I found
> https://www.jenkins.io/security/plugins/#unresolved for a documented
> answer.

Thanks.  Posting this answer directly in here for those too busy to
visit links and for archival, as taken from the Markdown source:

https://raw.githubusercontent.com/jenkins-infra/jenkins.io/refs/heads/master/content/security/plugins.adoc

> == Announcing Unresolved Vulnerabilities
>
> In case of a plugin vulnerability, we try to contact the plugin maintainer(s) to inform them of it.
> If they decline (or otherwise fail) to fix the vulnerability, or don't respond in a timely manner, and the security 
> team doesn't have the capacity to fix it, we follow the process outlined below in the interest of our users:
>
> . Publish a security advisory about the plugin, describing the nature of the vulnerability, but noting that there is 
> no fix (other than no longer using the plugin).
>   If there are workarounds, explain them.
> . In some cases of particularly severe vulnerabilities, link:#suspensions[stop publishing the vulnerable plugin on 
> the Jenkins update sites].
> . Add metadata to update sites to inform administrators on the Jenkins UI about vulnerable plugins they have 
> installed.
> . Display security warnings on https://plugins.jenkins.io/[the plugins site].
>
> This allows Jenkins administrators to make an informed decision about their continued use of plugins with unresolved 
> security vulnerabilities.
>
> == Following Up Later
>
> Some maintainers end up fixing security vulnerabilities after we have announced it as unresolved in their plugin.
> This can be any time between hours and years after publication.
>
> In those cases, security advisories will _not_ be amended, as the information provided was correct at the time of 
> publication.
> Additionally, the security advisory will be clear that the lack of a fix is only known "_as of publication of this 
> advisory_".
>
> We will update the security warnings metadata that is shown to administrators in Jenkins and on 
> https://plugins.jenkins.io/[the plugins site].
> Maintainers can inform us through Jira or email about a fix or 
> https://github.com/jenkins-infra/update-center2/#security-warnings[file a pull request updating the warnings 
> metadata] themselves.
> Once we confirm the fix is correct and complete, we will update the published warnings metadata.
> This will remove the active security warning from the plugin entry on the plugins site and from the plugin manager 
> directly in Jenkins.

Alexander