Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Jenkins Patches High-Impact Vulnerabilities in Server and Plugins

Jenkins has released patches for multiple high- and medium-severity vulnerabilities impacting the automation tool and several plugins.

Open source CI/CD automation tool Jenkins has released patches for multiple high- and medium-severity vulnerabilities in the server and several plugins.

Patches were rolled out for two medium-severity flaws in Jenkins, one leading to the exposure of multi-line secrets and another to creation restriction bypass.

The fist issue, tracked as CVE-2024-47803, exists because “Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field,” according to a Jenkins security bulletin.

This could lead to multi-line secrets being exposed on error messages present in system logs and was addressed in Jenkins versions 2.479 and LTS 2.462.3 by redacting those secrets.

Jenkins also announced patches for CVE-2024-47804, a bug affecting the item creation functionality of the software development automation server.

While Jenkins can be configured to prohibit the creation of specific item types, if the creation is attempted using the Jenkins CLI or the REST API and one of two specific checks fails, the item would be created in memory and deleted from the disk.

“This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it,” Jenkins explains, adding that the latest server iterations no longer retail the item in memory.

Patches were also rolled out for two high-severity vulnerabilities in the OpenId Connect Authentication plugin, and a medium-severity flaw in the Credentials plugins.

Advertisement. Scroll to continue reading.

The OpenId Connect Authentication bugs — CVE-2024-47806 and CVE-2024-47807 — exist because the plugin fails to check whether a token was issued for the correct client and the identity of the original issuer, which could allow attackers to gain administrator access to Jenkins.

Tracked as CVE-2024-47805, the Credentials plugin issue exist because encrypted values of credentials using the SecretBytes type are not redacted when accessing config.xml via REST API or CLI, allowing attackers with item/extended read permissions to view those encrypted values.

OpenId Connect Authentication plugin version 4.355.v3a_fb_fca_b_96d4 and Credentials plugin version 1381.v2c3a_12074da_b_ address these issues.

Related: ICS/OT Security Firms Announce Product Updates

Related: GitLab Security Update Patches Critical Vulnerability

Related: Tens of Cybersecurity Firms Found Exposing Assets

Related: Most Developers Never Update Third-Party Libraries in Their Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.