Issues updating Jenkins Plugins

2
votes

I was on Jenkins version 2.176 using the standalone war.

I then got security vulnerability alert for plugins here: https://jenkins.io/security/advisory/2020-03-09/

I then decided to update Jenkins so I downloaded and started Jenkins with the latest version: Jenkins ver. 2.224

I then updated all the plugins and took restart.

However, under monitors, I see two notifications.

The first notification says:

"You have data stored in an older format and/or unreadable data."

enter image description here

The second notification says:

"Warnings have been published for the following currently installed components."

Build Pipeline Plugin 1.5.8 Stored XSS vulnerability Environment Injector Plugin 2.3.0 Exposure of sensitive build variables stored by EnvInject 1.90 and earlier

enter image description here

Under the plugin update tab I don't find any plugins listed for updates !!

Can you please suggest how can I overcome both these issues?

1
jenkinspluginsnotificationswarningsupdates

1 Answers

2
votes

There are no new versions of the vulnerable Plugins available as of today.

The XSS Vulnerability for the Build Pipeline Plugin is only exploitable on Jenkins releases older than 2.146 or 2.138.2

For the Environment Injector Plugin Vulnerability:

To prevent the further exposure of sensitive build variables, we recommend that you take the following steps if you are affected by this:

  • Disable the visualization of Injected Environment variables in the global configuration. After this change the data will be accessible only to those ones who have access to raw build.xml files. This is a reversible action that can be applied immediately, and can be reverted once you’ve purged the data on disk (below).
  • Remove the sensitive data from disk by manually removing corresponding entries from injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files in old build directories.
  • Rotate all secrets that have potentially been exposed

from the Security Advisory 2018-02-26