The Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open-source automation server. 29 of these bugs are zero-days still waiting to be patched. It is a highly popular platform with support for over 1,700 plugins and is used by enterprises worldwide for building, testing, and deploying software.
The Zero-days’ impacted plugins have a total of more than 22,000 installs.
Based on Shodan data, there are currently more than 144,000 Internet-exposed Jenkins servers that could be targeted in attacks if running an unpatched plugin.
The complete list of flaws yet to be patched includes
- Stored XSS
- Cross-Site Request Forgery (CSRF)bugs
- Permission checks
- Passwords, APIkeys and tokens stored in plain text.
While the Jenkins team have patched 4 of the plugins(Gitlab,requests-plugin,TestNG Results,Xebialabs XL Release). Luckily ,most of the dangerous ones, the high severity Zero-days, require user interaction to be exploited in low complexity attacks by remote attacks with low privileges.
However, potential attackers are likely to exploit these zero-days in reconnaissance attacks, allowing them to gain more information about the infrastructure of a targeted company.
- GitLab Plugin version 1.5.35
- requests-plugin version 2.2.17
- TestNG version 555.va0d5f66521e3
- XebiaLabs XL version 22.0.1