Jenkins discloses dozens of zero-day bugs in multiple plugins

Home/Exploitation, Security Advisory, Security Update, vulnerability, Zero Day Attack/Jenkins discloses dozens of zero-day bugs in multiple plugins

Jenkins discloses dozens of zero-day bugs in multiple plugins

The Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open-source automation server. 29 of these bugs are zero-days still waiting to be patched. It is a highly popular platform with support for over 1,700 plugins and is used by enterprises worldwide for building, testing, and deploying software.

The Zero-days’ impacted plugins have a total of more than 22,000 installs.

Based on Shodan data, there are currently more than 144,000 Internet-exposed Jenkins servers that could be targeted in attacks if running an unpatched plugin.

The complete list of flaws yet to be patched includes

  • XSS
  • Stored XSS
  • Cross-Site Request Forgery (CSRF)bugs
  • Permission checks
  • Passwords, APIkeys and tokens stored in plain text.

Jenkins Update

While the Jenkins team have patched 4 of the plugins(Gitlab,requests-plugin,TestNG Results,Xebialabs XL Release). Luckily ,most of the dangerous ones, the high severity Zero-days, require user interaction to be exploited in low complexity attacks by remote attacks with low privileges.

However, potential attackers are likely to exploit these zero-days in reconnaissance attacks, allowing them to gain more information about the infrastructure of a targeted company.

Fixed Versions

  • GitLab Plugin version 1.5.35
  • requests-plugin version 2.2.17
  • TestNG version 555.va0d5f66521e3
  • XebiaLabs XL version 22.0.1

Follow us for more, Facebook, Twitter, LinkedIn and Instagram

By | 2022-07-04T14:43:44+05:30 July 4th, 2022|Exploitation, Security Advisory, Security Update, vulnerability, Zero Day Attack|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!