Jenkins Plugin Installation Manager Tool did not verify plugin downloads
Critical severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Oct 27, 2023
Package
Affected versions
< 2.2.0
Patched versions
2.2.0
Description
Published by the National Vulnerability Database
Dec 3, 2020
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Sep 7, 2022
Last updated
Oct 27, 2023
Credits
-
westonsteimel Analyst
-
NotMyFault Analyst
-
tdunlap607 Analyst
Jenkins Plugin Installation Manager Tool is part of the Jenkins project Docker images. As
jenkins-plugin-cliit is used to download and install plugins even before Jenkins is running.Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as mirror operators to provide crafted plugin downloads.
Jenkins Plugin Installation Manager Tool 2.2.0 confirms that actual checksums of downloaded plugin match the expected checksums.
Docker images of Jenkins 2.269 and 2.263.1 contain Plugin Installation Manager Tool 2.2.0. Users of older Docker images can change the version they use by extending the Jenkins image and update the tool themselves with:
ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar
RUN curl -fsSL ${PLUGIN_CLI_URL} -o /usr/lib/jenkins-plugin-manager.jar
Jenkinsfile Runner 1.0-beta-22 Docker images also include Plugin Installation Manager Tool 2.2.0.
References