Your hacker Blog

Tens of Jenkins plugins are affected by zero-day vulnerabilities

Jenkins security team disclosed tens of flaws affecting 29 plugins for the Jenkins automation server, most of them are yet to be patched.

Jenkins is the most popular open-source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.

The security team at Jenkins, disclosed 34 security flaws affecting 29 plugins for the Jenkins automation server, 29 of these issues are yet to be patched.

The advisory published by Jenkins discloses vulnerabilities in the following deliverables:

Build Notifications Pluginbuild-metrics PluginCisco Spark PluginDeployment Dashboard PluginElasticsearch Query PlugineXtreme Feedback Panel PluginFailed Job Deactivator PluginGitLab PluginHPE Network Virtualization PluginJigomerge PluginMatrix Reloaded PluginOpsGenie PluginPlot PluginProject Inheritance PluginRecipe PluginRequest Rename Or Delete Pluginrequests-plugin PluginRich Text Publisher PluginRocketChat Notifier PluginRQM PluginSkype notifier PluginTestNG Results PluginValidating Email Parameter PluginXebiaLabs XL Release PluginXPath Configuration Viewer PluginThe severity of the flaws ranges from low to high, and at the time of publication of the advisory, the following plugins are yet to be fixed:

Build Notifications Pluginbuild-metrics PluginCisco Spark PluginDeployment Dashboard PluginElasticsearch Query PlugineXtreme Feedback Panel PluginFailed Job Deactivator PluginHPE Network Virtualization PluginJigomerge PluginMatrix Reloaded PluginOpsGenie PluginPlot PluginProject Inheritance PluginRecipe PluginRequest Rename Or Delete PluginRich Text Publisher PluginRocketChat Notifier PluginRQM PluginSkype notifier PluginValidating Email Parameter PluginXPath Configuration Viewer PluginThe list of unpatched vulnerabilities includes XSS, Cross-Site Request Forgery (CSRF), missing or incorrect permission checks, along with passwords, API keys, and tokens stored in plain text.

The addressed issues were patched with the release of:

GitLab Plugin should be updated to version 1.5.35requests-plugin Plugin should be updated to version 2.2.17TestNG Results Plugin should be updated to version 555.va0d5f66521e3XebiaLabs XL Release Plugin should be updated to version 22.0.1Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking)

The post Tens of Jenkins plugins are affected by zero-day vulnerabilities appeared first on Security Affairs.