Does the vulnerability CVE-2022-42889 a.k.a Text4shell affects Jenkins
Quoting @wfollonier’s reply from Jira:
For your information, the security team invested some time assessing this CVE. The conclusion is that no plugin in the Jenkins ecosystem is impacted.
This means that updating that dependency is only to comply with scanners, not for security reasons.
1 Like
@hafees We have a process for reporting vulnerabilities. This is the preferred way to discuss about vulnerabilities. Doing that in public is not a good idea by default.
Thanks Alex for the quote.
Now just to be explicit, I do not plan to publish a blog post about the vulnerability, as it was explained by Apache directly, the requirements to be impacted are not as common as for Log4Shell, despite the critical score.
1 Like