我使用的是 Jenkins 版本 2.176,使用独立 war 。
然后我在这里收到了插件的安全漏洞警报:https://jenkins.io/security/advisory/2020-03-09/
然后我决定更新 Jenkins,因此我下载并使用最新版本启动 Jenkins:Jenkins 版本。 2.224
然后我更新了所有插件并重新启动。
但是,在监视器下,我看到两个通知。
第一个通知说:
"You have data stored in an older format and/or unreadable data."
第二个通知显示:
"Warnings have been published for the following currently installed components."
Build Pipeline Plugin 1.5.8 Stored XSS vulnerability Environment Injector Plugin 2.3.0 Exposure of sensitive build variables stored by EnvInject 1.90 and earlier
在插件更新选项卡下,我没有找到任何更新的插件!!
您能否建议我如何克服这两个问题?
最佳答案
截至目前,尚无可用的易受攻击插件的新版本。
对于环境注入(inject)器插件漏洞:
To prevent the further exposure of sensitive build variables, we recommend that you take the following steps if you are affected by this:
- Disable the visualization of Injected Environment variables in the global configuration. After this change the data will be accessible only to those ones who have access to raw build.xml files. This is a reversible action that can be applied immediately, and can be reverted once you’ve purged the data on disk (below).
- Remove the sensitive data from disk by manually removing corresponding entries from injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files in old build directories.
- Rotate all secrets that have potentially been exposed
关于jenkins - 更新 Jenkins 插件的问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60611851/