Tens of Jenkins plugins are affected by zero-day vulnerabilities

Jenkins security team disclosed tens of flaws affecting 29 plugins for the Jenkins automation server, most of them are yet to be patched.

Jenkins is the most popular open-source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.

The security team at Jenkins, disclosed 34 security flaws affecting 29 plugins for the Jenkins automation server, 29 of these issues are yet to be patched.

The advisory published by Jenkins discloses vulnerabilities in the following deliverables:

• Build Notifications Plugin
• build-metrics Plugin
• Cisco Spark Plugin
• Deployment Dashboard Plugin
• Elasticsearch Query Plugin
• eXtreme Feedback Panel Plugin
• Failed Job Deactivator Plugin
• GitLab Plugin
• HPE Network Virtualization Plugin
• Jigomerge Plugin
• Matrix Reloaded Plugin
• OpsGenie Plugin
• Plot Plugin
• Project Inheritance Plugin
• Recipe Plugin
• Request Rename Or Delete Plugin
• requests-plugin Plugin
• Rich Text Publisher Plugin
• RocketChat Notifier Plugin
• RQM Plugin
• Skype notifier Plugin
• TestNG Results Plugin
• Validating Email Parameter Plugin
• XebiaLabs XL Release Plugin
• XPath Configuration Viewer Plugin

The severity of the flaws ranges from low to high, and at the time of publication of the advisory, the following plugins are yet to be fixed:

• Build Notifications Plugin
• build-metrics Plugin
• Cisco Spark Plugin
• Deployment Dashboard Plugin
• Elasticsearch Query Plugin
• eXtreme Feedback Panel Plugin
• Failed Job Deactivator Plugin
• HPE Network Virtualization Plugin
• Jigomerge Plugin
• Matrix Reloaded Plugin
• OpsGenie Plugin
• Plot Plugin
• Project Inheritance Plugin
• Recipe Plugin
• Request Rename Or Delete Plugin
• Rich Text Publisher Plugin
• RocketChat Notifier Plugin
• RQM Plugin
• Skype notifier Plugin
• Validating Email Parameter Plugin
• XPath Configuration Viewer Plugin

The list of unpatched vulnerabilities includes XSS, Cross-Site Request Forgery (CSRF), missing or incorrect permission checks, along with passwords, API keys, and tokens stored in plain text.

The addressed issues were patched with the release of:

• GitLab Plugin should be updated to version 1.5.35
• requests-plugin Plugin should be updated to version 2.2.17
• TestNG Results Plugin should be updated to version 555.va0d5f66521e3
• XebiaLabs XL Release Plugin should be updated to version 22.0.1

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]