Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised of several view fragments, enabling plugins to extend existing views with more content.
In some cases attackers could directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view.
The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows preventing views from being rendered. The implementation of that SPI in Jenkins now prevents view fragments from being rendered. Further details are available in the developer documentation.
This change is expected to impact existing functionality in some plugins. The most likely effect is that some URLs now return 404 Not Found
. In rare cases, the responses returned might not be 404 Not Found
, but still different than expected.
Affected plugins
The table below provides a list of plugin which were affected by the SECURITY-534 fix in Jenkins 2.176.2 and 2.186. "Status" column reflects the current state. Note that this list is not exhaustive.
If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. If possible, include the necessary whitelist entry (or entries) to make the feature work.
More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.
Plugin Name | Impact / behavior | Whitelist addition | Issue / Pull Request | Status |
---|---|---|---|---|
gerrit-trigger-plugin | "Data Error" when viewing Gerrit Server list | com.sonyericsson.hudson.plugins.gerrit.trigger.GerritManagement serverStatuses | JENKINS-58715 - Gerrit Trigger Plugin is affected by SECURITY-534 fix in Jenkins 2.176.2 and 2.186 Resolved | Fixed in 2.29.0 |