Title: Message Title
Owen Wood created an issue
Jenkins / JENKINS-32759
Update bundled Groovy version
Issue Type:
Improvement
Assignee:
Unassigned
Components:
core
Created:
04/Feb/16 2:02 AM
Priority:
Minor
Reporter:
Owen Wood
We were evaluating a plugin that uses Groovy and discovered the version of Groovy it uses has a published security advisory. Digging further we found it was actually core Jenkins that provides Groovy. Our analysis:
The groovy version in use (1.8.9) does have a security advisory ( https://www.cvedetails.com/cve/CVE-2015-3253/ ). In all likeliness this is not patched; Apache (http://www.groovy-lang.org/security.html ) is hands-off prior to their takeover of 2.4.4. However, this version is not an issue with the plugin itself; the version is specified by Jenkins' POMs. In this case, the plugin uses 1.565.3 and gets groovy 1.8.9 transitively; even the very latest POM/API (1.585) is still at 1.8.9. It follows that every plugin already installed utilizing groovy, and likely Jenkins core, is equally vulnerable. The vulnerability can be mitigated, if desired, by setting security policies (groovy is held to those policies just like 'regular' Java).
We are asking for Jenkins to upgrade the provided Groovy version
https://github.com/jenkinsci/jenkins/blob/master/core/pom.xml#L44