Build Pipeline Plugin Security Warning on Jenkins 2.479.1

Hello,

I’m relatively new to Jenkins and still learning the ins and outs of managing a Jenkins instance.

I updated a Jenkins instance from version 2.303.3 to the latest LTS version (2.479.1). However, I am still seeing a security warning about the Build Pipeline Plugin 2.0.2 having a Stored XSS vulnerability (SECURITY-879 / CVE-2019-10373).

Build Pipeline Plugin 2.0.2
Stored XSS vulnerability (no fix available)
No fixes for these issues are available. It is recommended that you review the security advisory and apply mitigations if possible, or uninstall this plugin.

According to the security advisory, this vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2, due to security hardening implemented in those versions. Since I’m now running Jenkins 2.479.1, which is far beyond the affected versions, I’m confused as to why this warning persists.

I primarily use this plugin to visualize and monitor a suite of FreeStyle projects, including the root project and its downstream jobs.

Given the circumstances, I’m looking for advice on the best way forward:

  1. Ignore and hide the security warning: This seems low-risk given my current Jenkins version, but it may expose my instance if future regressions in Jenkins core make this vulnerability exploitable again.
  2. Replace the plugin: If this is recommended, what alternative would you suggest for monitoring and visualizing FreeStyle project pipelines?

I appreciate any insights or recommendations you can provide.

Thank you! :slightly_smiling_face: