Open source software development automation server Jenkins this week announced patches for high- and medium-severity vulnerabilities impacting multiple plugins.
The patches address three high-severity cross-site request forgery (CSRF) and cross-site scripting (XSS) issues in the Folders, Flaky Test Handler, and Shortcut Job plugins.
Tracked as CVE-2023-40336, the first bug exists because no POST requests were required for an HTTP endpoint in version 6.846.v23698686f0f6 and earlier of the Folders plugin, leading to CSRF.
“This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts,” Jenkins explains in an advisory.
The second high-severity bug, CVE-2023-40342, impacts Flaky Test Handler plugin versions 1.2.2 and earlier, which do not escape JUnit test contents when they are displayed in the Jenkins UI, allowing attackers to perform XSS attacks.
Shortcut Job plugin versions 0.4 and earlier do not escape the shortcut redirection URL, leading to an XSS flaw tracked as CVE-2023-40346.
Another high-severity XSS flaw was identified in Docker Swarm plugin versions 1.11 and earlier, which do not escape values returned from Docker before they are inserted into the Docker Swarm Dashboard view. However, no patch was released for this bug.
Jenkins also announced fixes for medium-severity vulnerabilities in the Folders, Config File Provider, NodeJS, Blue Ocean, Fortify, and Delphix plugins.
According to the advisory, these flaws could lead to information disclosure, credential leaks, CSRF attacks, HTML injection, and credential ID enumeration.
Fixes were included in Blue Ocean version 1.27.5.1, Config File Provider version 953.v0432a_802e4d2, Delphix version 3.0.3, Flaky Test Handler version 1.2.3, Folders version 6.848.ve3b_fd7839a_81, Fortify version 22.2.39, NodeJS version 1.6.0.1, and Shortcut Job version 0.5.
Additionally, Jenkins warned that no patches have been released for three medium-severity flaws in the Maven Artifact ChoiceListProvider (Nexus), Gogs, and Favorite View plugins that could lead to credential exposure, information disclosure, and CSRF attacks.
The Tuleap Authentication plugin was updated to version 1.1.21 to resolve a low-severity vulnerability allowing attackers to obtain a valid authentication token.
Related: Jenkins Server Vulnerabilities Chained for Remote Code Execution
Related: Cisco Patches High-Severity Vulnerabilities in Enterprise Applications
Related: Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution
