Tens of Jenkins plugins are affected by zero-day vulnerabilities

Jenkins security team disclosed tens of flaws affecting 29 plugins for the Jenkins automation server, most of them are yet to be patched.

Jenkins is the most popular open-source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.

The security team at Jenkins, disclosed 34 security flaws affecting 29 plugins for the Jenkins automation server, 29 of these issues are yet to be patched.

The advisory published by Jenkins discloses vulnerabilities in the following deliverables:

The severity of the flaws ranges from low to high, and at the time of publication of the advisory, the following plugins are yet to be fixed:

Build Notifications Plugin
build-metrics Plugin
Cisco Spark Plugin
Deployment Dashboard Plugin
Elasticsearch Query Plugin
eXtreme Feedback Panel Plugin
Failed Job Deactivator Plugin
HPE Network Virtualization Plugin
Jigomerge Plugin
Matrix Reloaded Plugin
OpsGenie Plugin
Plot Plugin
Project Inheritance Plugin
Recipe Plugin
Request Rename Or Delete Plugin
Rich Text Publisher Plugin
RocketChat Notifier Plugin
RQM Plugin
Skype notifier Plugin
Validating Email Parameter Plugin
XPath Configuration Viewer Plugin

The list of unpatched vulnerabilities includes XSS, Cross-Site Request Forgery (CSRF), missing or incorrect permission checks, along with passwords, API keys, and tokens stored in plain text.

The addressed issues were patched with the release of:

GitLab Plugin should be updated to version 1.5.35
requests-plugin Plugin should be updated to version 2.2.17
TestNG Results Plugin should be updated to version 555.va0d5f66521e3
XebiaLabs XL Release Plugin should be updated to version 22.0.1

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.