Connect with us

Hi, what are you looking for?



Jenkins Patches High-Severity Vulnerabilities in Multiple Plugins

Jenkins has announced patches for high and medium-severity vulnerabilities impacting several of the open source automation tool’s plugins.

Open source software development automation server Jenkins this week announced patches for high- and medium-severity vulnerabilities impacting multiple plugins.

The patches address three high-severity cross-site request forgery (CSRF) and cross-site scripting (XSS) issues in the Folders, Flaky Test Handler, and Shortcut Job plugins.

Tracked as CVE-2023-40336, the first bug exists because no POST requests were required for an HTTP endpoint in version 6.846.v23698686f0f6 and earlier of the Folders plugin, leading to CSRF.

“This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts,” Jenkins explains in an advisory.

The second high-severity bug, CVE-2023-40342, impacts Flaky Test Handler plugin versions 1.2.2 and earlier, which do not escape JUnit test contents when they are displayed in the Jenkins UI, allowing attackers to perform XSS attacks.

Shortcut Job plugin versions 0.4 and earlier do not escape the shortcut redirection URL, leading to an XSS flaw tracked as CVE-2023-40346.

Another high-severity XSS flaw was identified in Docker Swarm plugin versions 1.11 and earlier, which do not escape values returned from Docker before they are inserted into the Docker Swarm Dashboard view. However, no patch was released for this bug.

Jenkins also announced fixes for medium-severity vulnerabilities in the Folders, Config File Provider, NodeJS, Blue Ocean, Fortify, and Delphix plugins.

Advertisement. Scroll to continue reading.

According to the advisory, these flaws could lead to information disclosure, credential leaks, CSRF attacks, HTML injection, and credential ID enumeration.

Fixes were included in Blue Ocean version, Config File Provider version 953.v0432a_802e4d2, Delphix version 3.0.3, Flaky Test Handler version 1.2.3, Folders version 6.848.ve3b_fd7839a_81, Fortify version 22.2.39, NodeJS version, and Shortcut Job version 0.5.

Additionally, Jenkins warned that no patches have been released for three medium-severity flaws in the Maven Artifact ChoiceListProvider (Nexus), Gogs, and Favorite View plugins that could lead to credential exposure, information disclosure, and CSRF attacks.

The Tuleap Authentication plugin was updated to version 1.1.21 to resolve a low-severity vulnerability allowing attackers to obtain a valid authentication token.

Related: Jenkins Server Vulnerabilities Chained for Remote Code Execution

Related: Cisco Patches High-Severity Vulnerabilities in Enterprise Applications

Related: Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.