Jenkins : Plugins affected by the SECURITY-534 fix

Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised of several view fragments, enabling plugins to extend existing views with more content.

In some cases attackers could directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view.

The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows preventing views from being rendered. The implementation of that SPI in Jenkins now prevents view fragments from being rendered. Further details are available in the developer documentation.

This change is expected to impact existing functionality in some plugins. The most likely effect is that some URLs now return 404 Not Found. In rare cases, the responses returned might not be 404 Not Found, but still different than expected.

Affected plugins

The table below provides a list of plugin which were affected by the SECURITY-534 fix in Jenkins 2.176.2 and 2.186. "Status" column reflects the current state. Note that this list is not exhaustive.

If you encounter a plugin that no longer works as expected due to the fix, please add it to the list. If possible, include the necessary whitelist entry (or entries) to make the feature work.

More importantly, please file a bug report, if one doesn’t exist, to help ensure that the appropriate plugin maintainer is informed.

Plugin NameImpact / behaviorWhitelist additionIssue / Pull RequestStatus
gerrit-trigger-plugin"Data Error" when viewing Gerrit Server listcom.sonyericsson.hudson.plugins.gerrit.trigger.GerritManagement serverStatuses

JENKINS-58715 - Gerrit Trigger Plugin is affected by SECURITY-534 fix in Jenkins 2.176.2 and 2.186 Resolved

Fixed in 2.29.0