Details
Description
A Jenkins user reported a stack trace ending in the following (the rest involves a particular plugin):
java.lang.NullPointerException at com.thoughtworks.xstream.converters.ConversionException.add(ConversionException.java:65) at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1066) at hudson.util.XStream2.unmarshal(XStream2.java:109) at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1045) at hudson.XmlFile.unmarshal(XmlFile.java:166)
Here it seems that pkg.getImplementationVersion() is null in unmarshal yet that condition is not checked for. This is using Jenkins's patched version of XStream, but I checked the trunk sources of the official version and the same code is used, so theoretically it is equally vulnerable.
Perhaps something to do with the plugin calling hierarchicalStreamWriter.addAttribute("version", ...). Seems that the error is only triggered when (a) information == null, (b) this is not the first time you are adding an attribute of that name to this exception. The first condition seems normal enough; in fact it is true during the module's unit tests. I am not sure what would cause the second condition, however.