Now on Demand: CISO Forum Virtual Summit - All Sessions Available to Watch Instantly
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Jenkins Patches High-Impact Vulnerabilities in Server and Plugins

Jenkins has released patches for multiple high- and medium-severity vulnerabilities impacting the automation tool and several plugins.

Open source CI/CD automation tool Jenkins has released patches for multiple high- and medium-severity vulnerabilities in the server and several plugins.

Patches were rolled out for two medium-severity flaws in Jenkins, one leading to the exposure of multi-line secrets and another to creation restriction bypass.

The fist issue, tracked as CVE-2024-47803, exists because “Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field,” according to a Jenkins security bulletin.

This could lead to multi-line secrets being exposed on error messages present in system logs and was addressed in Jenkins versions 2.479 and LTS 2.462.3 by redacting those secrets.

Jenkins also announced patches for CVE-2024-47804, a bug affecting the item creation functionality of the software development automation server.

While Jenkins can be configured to prohibit the creation of specific item types, if the creation is attempted using the Jenkins CLI or the REST API and one of two specific checks fails, the item would be created in memory and deleted from the disk.

“This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it,” Jenkins explains, adding that the latest server iterations no longer retail the item in memory.

Patches were also rolled out for two high-severity vulnerabilities in the OpenId Connect Authentication plugin, and a medium-severity flaw in the Credentials plugins.

Advertisement. Scroll to continue reading.

The OpenId Connect Authentication bugs — CVE-2024-47806 and CVE-2024-47807 — exist because the plugin fails to check whether a token was issued for the correct client and the identity of the original issuer, which could allow attackers to gain administrator access to Jenkins.

Tracked as CVE-2024-47805, the Credentials plugin issue exist because encrypted values of credentials using the SecretBytes type are not redacted when accessing config.xml via REST API or CLI, allowing attackers with item/extended read permissions to view those encrypted values.

OpenId Connect Authentication plugin version 4.355.v3a_fb_fca_b_96d4 and Credentials plugin version 1381.v2c3a_12074da_b_ address these issues.

Related: ICS/OT Security Firms Announce Product Updates

Related: GitLab Security Update Patches Critical Vulnerability

Related: Tens of Cybersecurity Firms Found Exposing Assets

Related: Most Developers Never Update Third-Party Libraries in Their Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.