Experts from Jenkins has disclosed numerous flaws affecting 29 plugins for the Jenkins automation server.
A most popular open-source automation server Jenkins, maintained by CloudBees and the Jenkins community.
The security team at Jenkins, disclosed 34 security flaws affecting 29 plugins for the Jenkins automation server, 29 of these issues are yet to be patched.
The list of unpatched vulnerabilities includes XSS, Cross-Site Request Forgery (CSRF), missing or incorrect permission checks, along with passwords, API keys, and tokens stored in plain text.
The advisory published by Jenkins discloses vulnerabilities in the following deliverables. The severity of the flaws ranges from low to high, and at the time of publication of the advisory. Only few of them got the patches.
- Build Notifications Plugin
- build-metrics Plugin
- Cisco Spark Plugin
- Deployment Dashboard Plugin
- Elasticsearch Query Plugin
- eXtreme Feedback Panel Plugin
- Failed Job Deactivator Plugin
- GitLab Plugin – Patched
- HPE Network Virtualization Plugin
- Jigomerge Plugin
- Matrix Reloaded Plugin
- OpsGenie Plugin
- Plot Plugin
- Project Inheritance Plugin
- Recipe Plugin
- Request Rename Or Delete Plugin
- requests-plugin Plugin – Patched
- Rich Text Publisher Plugin
- RocketChat Notifier Plugin
- RQM Plugin
- Skype notifier Plugin
- TestNG Results Plugin -Patched
- Validating Email Parameter Plugin
- XebiaLabs XL Release Plugin – Patched
- XPath Configuration Viewer Plugin
The addressed issues were patched with the release of:
- GitLab Plugin should be updated to version 1.5.35
- requests-plugin Plugin should be updated to version 2.2.17
- TestNG Results Plugin should be updated to version 555.va0d5f66521e3
- XebiaLabs XL Release Plugin should be updated to version 22.0.1
