Security researchers at open-source automation server Jenkins identified dozens of zero-day vulnerabilities affecting several plugins. The automation platform, maintained by CloudBees and its community, supports upwards of 1,700 plugins and is used by companies worldwide to build, test and deploy software.
Reportedly, Jenkins counts over a million users worldwide, with hundreds of thousands of active installations. The zero-days spotted by the platform’s security experts have CVSS severity levels ranging from low to high, and the affected plugins are installed on more than 22,000 instances.
These include a stored XSS vulnerability, missing permission checks, CSRF vulnerabilities, incorrect permission checks, as well as plain-text-stored passwords, tokens, API keys and secrets.
The initial list of vulnerable plugins included 29 items, but the Jenkins team patched four of them. According to Jenkins’ security advisory, the vulnerabilities still affect the following deliverables:
· Build Notifications Plugin up to and including 1.5.0
· build-metrics Plugin up to and including 1.3
· Cisco Spark Plugin up to and including 1.1.1
· Deployment Dashboard Plugin up to and including 1.0.10
· Elasticsearch Query Plugin up to and including 1.2
· eXtreme Feedback Panel Plugin up to and including 2.0.1
· Failed Job Deactivator Plugin up to and including 1.2.1
· GitLab Plugin up to and including 1.5.34
· HPE Network Virtualization Plugin up to and including 1.0
· Jigomerge Plugin up to and including 0.9
· Matrix Reloaded Plugin up to and including 1.1.3
· OpsGenie Plugin up to and including 1.9
· Plot Plugin up to and including 2.1.10
· Project Inheritance Plugin up to and including 21.04.03
· Recipe Plugin up to and including 1.2
· Request Rename Or Delete Plugin up to and including 1.1.0
· requests-plugin Plugin up to and including 2.2.16
· Rich Text Publisher Plugin up to and including 1.4
· RocketChat Notifier Plugin up to and including 1.5.2
· RQM Plugin up to and including 2.8
· Skype notifier Plugin up to and including 1.1.0
· TestNG Results Plugin up to and including 554.va4a552116332
· Validating Email Parameter Plugin up to and including 1.10
· XebiaLabs XL Release Plugin up to and including 22.0.0
· XPath Configuration Viewer Plugin up to and including 1.1.1
The fixed deliverables include GitLab Plugin(version 1.5.35), requests-plugin Plugin (version 2.2.17), TestNG Results Plugin (version 555.va0d5f66521e3), and XebiaLabs XL Release Plugin (version 22.0.1).
Currently, there is no fix for most of the vulnerable plugins above. While the unfixed zero-days are not severe enough to allow remote code or command execution on vulnerable servers, they could be targeted by perpetrators in reconnaissance attacks.