gpt4 book ai didi

jenkins - 更新 Jenkins 插件的问题

转载 作者:行者123 更新时间:2023-12-04 10:26:47 25 4
gpt4 key购买 nike

我在使用独立 war 的 Jenkins 版本 2.176。

然后我在这里收到了插件的安全漏洞警报:https://jenkins.io/security/advisory/2020-03-09/

然后我决定更新 Jenkins,所以我下载并使用最新版本启动 Jenkins:Jenkins ver。 2.224

然后我更新了所有插件并重新启动。

但是,在监视器下,我看到两个通知。

第一个通知说:

"You have data stored in an older format and/or unreadable data."



enter image description here

第二个通知说:

"Warnings have been published for the following currently installed components."

Build Pipeline Plugin 1.5.8 Stored XSS vulnerability Environment Injector Plugin 2.3.0 Exposure of sensitive build variables stored by EnvInject 1.90 and earlier



enter image description here

在插件更新选项卡下,我没有找到任何列出的更新插件!

你能建议我如何克服这两个问题吗?

最佳答案

截至今天,没有可用的易受攻击插件的新版本。

The XSS Vulnerability for the Build Pipeline Plugin is only exploitable on Jenkins releases older than 2.146 or 2.138.2

对于环境注入(inject)器插件漏洞:

To prevent the further exposure of sensitive build variables, we recommend that you take the following steps if you are affected by this:

  • Disable the visualization of Injected Environment variables in the global configuration. After this change the data will be accessible only to those ones who have access to raw build.xml files. This is a reversible action that can be applied immediately, and can be reverted once you’ve purged the data on disk (below).
  • Remove the sensitive data from disk by manually removing corresponding entries from injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files in old build directories.
  • Rotate all secrets that have potentially been exposed


来自 Security Advisory 2018-02-26

关于jenkins - 更新 Jenkins 插件的问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60611851/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com