The Jenkins security team announced the discovery of 34 vulnerabilities affecting 29 popular plugins. Worse, 29 of the problems found are 0-day vulnerabilities, so these are very fresh bugs, for which there is still no patches.
The developers say that according to the CVSS vulnerability rating scale, the severity of problems varies from low to high, and in total, vulnerable plugins are installed over 22,000 times.
Let me remind you that we also wrote that Critical PHP Vulnerability Allows Code to Run on Qnap Devices, and also that Critical 0-day vulnerability found in Spring Java framework.
The list of flaws that Jenkins now needs to fix included XSS, “stored” XSS, CSRF, missing or incorrect permission checks, and passwords, secrets, API keys, and tokens stored by plugins in plain text format.
Although none of the vulnerabilities are critical (such bugs allow attackers to remotely execute code or commands on vulnerable servers), the bugs found can still be used to attack corporate networks.
The Jenkins team has already submitted patches for four plugins (GitLab, request-plugin, TestNG Results, and XebiaLabs XL Release), but the list of vulnerable plugins is still long:
- Build Notifications Plugin up to version 1.5.0 (inclusively);
- build-metrics Plugin up to version 1.3 (inclusively);
- Cisco Spark Plugin up to version 1.1.1 (inclusively);
- Deployment Dashboard Plugin up to version 1.0.10 (inclusively);
- Elasticsearch Query Plugin up to version 1.2 (inclusively);
- eXtreme Feedback Panel Plugin up to version 2.0.1 (inclusively);
- Failed Job Deactivator Plugin up to version 1.2.1 (inclusively);
- GitLab Plugin up to version 1.5.34 (inclusively);
- HPE Network Virtualization Plugin up to version 1.0 (inclusively);
- Jigomerge Plugin up to version 0.9 (inclusively);
- Matrix Reloaded Plugin up to version 1.1.3 (inclusively);
- OpsGenie Plugin up to version 1.9 (inclusively);
- Plot Plugin up to version 2.1.10 (inclusively);
- Project Inheritance Plugin up to version 21.04.03 (inclusively);
- Recipe Plugin up to version 1.2 (inclusively);
- Request Rename or Delete Plugin up to version 1.1.0 (inclusively);
- requests-plugin Plugin up to version 2.2.16 (inclusively);
- Rich Text Publisher Plugin up to version 1.4 (inclusively);
- RocketChat Notifier Plugin up to version 1.5.2 (inclusively);
- RQM Plugin up to version 2.8 (inclusively);
- Skype notifier Plugin up to version 1.1.0 (inclusively);
- TestNG Results Plugin up to version 554.va4a552116332 (inclusively);
- Validating Email Parameter Plugin up to version 1.10 (inclusively);
- XebiaLabs XL Release Plugin up to version 22.0.0 (inclusively);
- XPath Configuration Viewer Plugin up to version 1.1.1 (inclusively).