Bot releases are hidden (Show)
Published by daniel-beck about 1 year ago
Published by bguerin almost 2 years ago
Full Changelog: https://github.com/jenkinsci/pipeline-maven-plugin/compare/pipeline-maven-3.11.1...pipeline-maven-3.11.2
Published by bguerin almost 2 years ago
Full Changelog: https://github.com/jenkinsci/pipeline-maven-plugin/compare/pipeline-maven-3.11.0...pipeline-maven-3.11.1
Published by aheritier about 4 years ago
Stored XSS vulnerability in upstream cause in Pipeline Maven Integration Plugin
Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.
Published by aheritier about 4 years ago
https://www.jenkins.io/security/advisory/2020-08-12/
SECURITY-1794 (1) / CVE-2020-2233
Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3 requires the appropriate permissions.
SECURITY-1794 (2) / CVE-2020-2234 (permission check), CVE-2020-2235 (CSRF)
Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in a method implementing form validation.
This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Pipeline Maven Integration Plugin 3.8.3 requires POST requests and Job/Configure permission for the affected form validation method.
(i) The Pipeline Maven Plugin now needs to install the "H2 API Plugin". It is done transparently if the master is connected to the Internet
JENKINS-57543 Support PostgreSQL database
JENKINS-57605 Use the "H2 API Plugin" to load H2
Download URL: https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/pipeline-maven/3.7.0-beta-1/pipeline-maven-3.7.0-beta-1.hpi
Download URL: https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/pipeline-maven/3.6.15-beta-1/pipeline-maven-3.6.15-beta-1.hpi
withMaven(){...}
is running in docker.image("").inside{...}