Jenkins : Script Security Support in Plugins

This is not an issue tracker replacement

If you suspect that you found a vulnerability in a plugin, please report it to the Jenkins security team as described here: https://jenkins.io/security/#reporting-vulnerabilities

This page lists Jenkins plugins that implement scripting related features, and the state of their integration with the Script Security plugin (if needed). While it's possible for plugins to be safe to use without integrating with Script Security (e.g. only enable scripting features when Jenkins security is disabled, or limit features properly to users with Run Scripts permission), integrating Script Security is a common, proven approach.

For each listed plugin, the following information is tracked:

  • The state of the vulnerability in the current release:
    • Never indicates the plugin has not been found to be affected by a major scripting related vulnerability, despite offering scripting related features, or has been integrated with Script Security plugin from the start.
    • Fixed indicates that the plugin used to have a scripting-related vulnerability, that has been fixed and released (typically by integrating with Script Security).
    • Admin Only indicates that the plugin does not distinguish properly between Administer and Run Scripts permission, which is only relevant in specific situations, like hosted Jenkins environments. While this is, strictly speaking, a vulnerability, most Jenkins administrators will not be affected.
    • Yes indicates that current releases of this plugin are considered to be affected by a known, public scripting related security vulnerability.

More information:

 

Plugin IDPlugin Name

Scripting
Vulnerability?

Tracking
Issue

Script Security
Supported Since

Comments
AdaptivePluginAdaptive DSL

Yes

SECURITY-457- 
app-detectorApplication Detector

Admin Only (1.0.2+)

Yes (1.0.0 and 1.0.1)

SECURITY-494- 
artifactdeployerArtifact DeployerYesSECURITY-294- 
build-flow-pluginBuild FlowYesSECURITY-293- 
cas-pluginCASFixedSECURITY-4881.4.0, released 2017-05-09 
cas1CAS protocol version 1YesSECURITY-491- 
claimClaimFixed

JENKINS-43811

2.10, released 2017-11-08

 
cvs-tagCVS TaggingYesSECURITY-459- 
database-mysqlMySQL DatabaseNever-- 
dynamicparameterDynamic ParameterYesSECURITY-462- 
email-extEmail ExtensionFixedSECURITY-2572.57.2, released 2017-04-10 
envinjectEnvironment InjectorFixedSECURITY-2562.0, released 2017-04-10 
extended-choice-parameterExtended Choice ParameterFixedSECURITY-1871.63, released 2016-04-05 
extensible-choice-parameterExtensible Choice ParameterFixedSECURITY-1232.4.0, released 2017-04-10 
extreme-notificationExtreme NotificationAdmin OnlySECURITY-492- 
grailsGrailsYesSECURITY-458- 
groovyGroovyFixedSECURITY-2922.0, released 2017-04-10 
groovy-label-assignmentGroovy Label AssignmentFixedJENKINS-275351.2.0, released 2016-05-08 
groovy-postbuildGroovy PostbuildFixedJENKINS-152122.0, released 2014-09-21 
groovyaxisGroovyAxisYesSECURITY-460- 
integrity-pluginPTC Integrity CMYesSECURITY-176- 
job-dslJob DSLFixedSECURITY-3691.60, released 2017-04-10 
lockable-resourcesLockable ResourcesFixedSECURITY-3682.0, released 2017-04-10 
matrix-combinations-parameterMatrix Combinations ParameterNever--Depends on Matrix Project for this functionality
matrix-projectMatrix ProjectFixedSECURITY-1251.2.1 and 1.4.1, released 2015-02-27 
naginatorNaginatorNever-- 
ontrackOntrackYesSECURITY-495- 
postbuildscriptPost-Build ScriptYesSECURITY-295- 
proc-cleaner-pluginProcess CleanerYesSECURITY-489- 
reactor-pluginReactorYesSECURITY-487- 
script-scmScript SCMYesSECURITY-461- 
scriptlerScriptlerAdmin OnlySECURITY-367- 
scripttriggerScriptTriggerYesSECURITY-456- 
seedSeedYesSECURITY-486- 
shared-objectsShared ObjectsAdmin OnlySECURITY-493- 
splunk-devopsSplunkFixedSECURITY-4791.5.3, released 2017-07-25 
splunk-devops-extendSplunk ExtensionFixedSECURITY-4961.5.0, released 2017-04-16 
svn-tagSubversion TaggingYesSECURITY-298- 
tcltclYesSECURITY-379- 
uno-choiceActive ChoicesFixedJENKINS-287321.5.1, released 2016-11-11 
warningsWarningsFixed

SECURITY-297
SECURITY-405

4.61, released 2017-04-10 
workflow-cpsPipeline: GroovyNever--This includes the Pipeline suite of plugins more broadly.
youtrack-pluginYoutrackYesSECURITY-464-