2 min read

Several Jenkins Plugins Are Prone to Zero-Day Attacks

Vlad CONSTANTINESCU

July 04, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Several Jenkins Plugins Are Prone to Zero-Day Attacks

Security researchers at open-source automation server Jenkins identified dozens of zero-day vulnerabilities affecting several plugins. The automation platform, maintained by CloudBees and its community, supports upwards of 1,700 plugins and is used by companies worldwide to build, test and deploy software.

Reportedly, Jenkins counts over a million users worldwide, with hundreds of thousands of active installations. The zero-days spotted by the platform’s security experts have CVSS severity levels ranging from low to high, and the affected plugins are installed on more than 22,000 instances.

These include a stored XSS vulnerability, missing permission checks, CSRF vulnerabilities, incorrect permission checks, as well as plain-text-stored passwords, tokens, API keys and secrets.

The initial list of vulnerable plugins included 29 items, but the Jenkins team patched four of them. According to Jenkins’ security advisory, the vulnerabilities still affect the following deliverables:

· Build Notifications Plugin up to and including 1.5.0
· build-metrics Plugin up to and including 1.3
· Cisco Spark Plugin up to and including 1.1.1
· Deployment Dashboard Plugin up to and including 1.0.10
· Elasticsearch Query Plugin up to and including 1.2
· eXtreme Feedback Panel Plugin up to and including 2.0.1
· Failed Job Deactivator Plugin up to and including 1.2.1
· GitLab Plugin up to and including 1.5.34
· HPE Network Virtualization Plugin up to and including 1.0
· Jigomerge Plugin up to and including 0.9
· Matrix Reloaded Plugin up to and including 1.1.3
· OpsGenie Plugin up to and including 1.9
· Plot Plugin up to and including 2.1.10
· Project Inheritance Plugin up to and including 21.04.03
· Recipe Plugin up to and including 1.2
· Request Rename Or Delete Plugin up to and including 1.1.0
· requests-plugin Plugin up to and including 2.2.16
· Rich Text Publisher Plugin up to and including 1.4
· RocketChat Notifier Plugin up to and including 1.5.2
· RQM Plugin up to and including 2.8
· Skype notifier Plugin up to and including 1.1.0
· TestNG Results Plugin up to and including 554.va4a552116332
· Validating Email Parameter Plugin up to and including 1.10
· XebiaLabs XL Release Plugin up to and including 22.0.0
· XPath Configuration Viewer Plugin up to and including 1.1.1

The fixed deliverables include GitLab Plugin(version 1.5.35), requests-plugin Plugin (version 2.2.17), TestNG Results Plugin (version 555.va0d5f66521e3), and XebiaLabs XL Release Plugin (version 22.0.1).

Currently, there is no fix for most of the vulnerable plugins above. While the unfixed zero-days are not severe enough to allow remote code or command execution on vulnerable servers, they could be targeted by perpetrators in reconnaissance attacks.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

America’s Emergency Alert System Is Vulnerable to Hacker Attacks, DHS Warns America’s Emergency Alert System Is Vulnerable to Hacker Attacks, DHS Warns
Filip TRUȚĂ

August 05, 2022

2 min read
Keeping Your PayPal Account Safe: A Brief Guide Keeping Your PayPal Account Safe: A Brief Guide
Vlad CONSTANTINESCU

August 05, 2022

3 min read
35,000 GitHub Repository Clones Tainted with Malware 35,000 GitHub Repository Clones Tainted with Malware
Vlad CONSTANTINESCU

August 04, 2022

2 min read