Hi Folks, Hope you are doing well.
I recently installed Jenkins on my Ubuntu EC2 instance
And updated the version from 2.401.2 to 2.440.3
after scanning the system I got an error Trojan:GenericKD.72346507 identified at locations: /var/lib/jenkins/plugins/durable-task/WEB-INF/lib/lib-durable-task-43.v0b_d629cd2b_0c.jar,/var/lib/jenkins/plugins/durable-task.jpi=>WEB-INF/lib/lib-durable-task-43.v0b_d629cd2b_0c.jar
Can anyone help me solve this issue? I’m eagerly awaiting your response. Thanks in advance!"
Jenkins setup:
Jenkins version :2.440.3
OS:Ubuntu 22.04
I am not 100% confident cause we keep rescanning the dependency and we’re getting following results leading to VirusTotal basically saying this package is still has issues
And this is the packages used in durable-task-plugin version 550.v0930093c4b_a_6
We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins):
Claims of malware in Durable Task plugin or lib-durable-task unless substantiated (e.g., local builds from source are unaffected). Our best guess is that these tools consider the low-level process and signal handling and/or the bundling of native go binaries inside nested jar files in these components to be suspicious behavior. Please report this false positive finding to your anti-malware vendor.
The Jenkins security team does not accept vulnerability reports against the durable task plugin from virus scanners without additional evidence.
Tell the virus scanner vendor that they are reporting something that is not a virus and is not a vulnerability.
The file reported was modified on the 4th March 2026 and released in the 6th release so the older comments on this are not relevant, we are still trying to understand this a little deeper but 21 AV vendors are flagging we can see some obfusation/packing in the dropped exes and some differential behaviour in sandboxes - nothing definative but suspisous at this stage.
hi @DM_InfosecTeam , we are experiencing the exact same problem with the new version of the plugin (664).
virus total indicates it is infected, and we are unable to bypass it no matter what we do.
Why do you think that the older comments are not relevant? The durable task plugin still includes an executable built from go source code. Virus scanning vendors are still likely to incorrectly report that the nested binary or the nested jar file are suspicious.
The durable task plugin 664.v2b_e7a_dfff66c was released Wed Mar 4 20:45:51 2026 +0000 as built from source by the automated release process. It includes lib-durable-task library 79.v132950154068 and reports no issues or surprises in its release build log.
Still the case with update to Durable Task 664.v2b_e7a_dfff66c (from 651.v1f5e074fc83f)
Detected: Trojan:Win32/Etset!rfn
Status: Quarantined
Quarantined files are in a restricted area where they can’t harm your device. They
will be removed automatically.
Windows Defender removed file durable-task.jpi and I had to put it back manually
It doesn’t inspire confidence in the security of the codebase. In reponse to the earlier queries of old issues this relates to changes introduced 7 days ago different hashes and different detections
There are several worth flagging from a cybersecurity perspective:
Command Injection RiskThe WindowsBatchScript constructor accepts raw strings that are passed directly to cmd.exe. If any upstream Jenkins pipeline passes user-controlled input into that constructor without sanitisation, it’s a classic command injection vector. The test for envWithShellChar (foo$$bar) hints the authors are aware of shell metacharacter risks, but the tests only cover $$ — not &, |, >, backticks, or %VAR% expansion abuse.
Process EnumerationThe binaryInactive() method calls ProcessHandle.allProcesses() — enumerating every running process. In a production context this is a significant privilege concern and a potential information disclosure vector if that logic were ever exposed or logged.
Weak Await / Race ConditionThe awaitCompletion() method polls with a 2-minute hard timeout. If a script hangs or is deliberately stalled by a malicious payload, the cleanup may never run, leaving artefact files on disk — potentially containing sensitive environment variables or output data.
Workspace Path TraversalPaths like ws.child(path) where path comes from test parameters suggest the plugin resolves child paths dynamically. If path were attacker-controlled (e.g., ../../sensitive), this could be a traversal issue in production use — though in the test context the values are hardcoded.
Temporary Artefact FilesThe plugin writes script output to the workspace. If c.cleanup(ws) is not reliably called (e.g., on test failure), sensitive data in those files persists on the Jenkins controller or agent filesystem.
No Authentication/Authorisation TestingThere are no tests validating that only authorised users can trigger batch script execution — a significant gap given Jenkins’ known history of privilege escalation CVEs.
That is an automated test. Automated tests are not included in the released code. Comments from Claude Code on the quality of an automated test may be interesting for development and maintenance, but they are unlikely to affect runtime, since automated tests are not included in the plugin binary file.
