Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Jenkins Patches High-Severity Vulnerabilities in Multiple Plugins

Jenkins has announced patches for high and medium-severity vulnerabilities impacting several of the open source automation tool’s plugins.

Open source software development automation server Jenkins this week announced patches for high- and medium-severity vulnerabilities impacting multiple plugins.

The patches address three high-severity cross-site request forgery (CSRF) and cross-site scripting (XSS) issues in the Folders, Flaky Test Handler, and Shortcut Job plugins.

Tracked as CVE-2023-40336, the first bug exists because no POST requests were required for an HTTP endpoint in version 6.846.v23698686f0f6 and earlier of the Folders plugin, leading to CSRF.

“This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts,” Jenkins explains in an advisory.

The second high-severity bug, CVE-2023-40342, impacts Flaky Test Handler plugin versions 1.2.2 and earlier, which do not escape JUnit test contents when they are displayed in the Jenkins UI, allowing attackers to perform XSS attacks.

Shortcut Job plugin versions 0.4 and earlier do not escape the shortcut redirection URL, leading to an XSS flaw tracked as CVE-2023-40346.

Another high-severity XSS flaw was identified in Docker Swarm plugin versions 1.11 and earlier, which do not escape values returned from Docker before they are inserted into the Docker Swarm Dashboard view. However, no patch was released for this bug.

Jenkins also announced fixes for medium-severity vulnerabilities in the Folders, Config File Provider, NodeJS, Blue Ocean, Fortify, and Delphix plugins.

Advertisement. Scroll to continue reading.

According to the advisory, these flaws could lead to information disclosure, credential leaks, CSRF attacks, HTML injection, and credential ID enumeration.

Fixes were included in Blue Ocean version 1.27.5.1, Config File Provider version 953.v0432a_802e4d2, Delphix version 3.0.3, Flaky Test Handler version 1.2.3, Folders version 6.848.ve3b_fd7839a_81, Fortify version 22.2.39, NodeJS version 1.6.0.1, and Shortcut Job version 0.5.

Additionally, Jenkins warned that no patches have been released for three medium-severity flaws in the Maven Artifact ChoiceListProvider (Nexus), Gogs, and Favorite View plugins that could lead to credential exposure, information disclosure, and CSRF attacks.

The Tuleap Authentication plugin was updated to version 1.1.21 to resolve a low-severity vulnerability allowing attackers to obtain a valid authentication token.

Related: Jenkins Server Vulnerabilities Chained for Remote Code Execution

Related: Cisco Patches High-Severity Vulnerabilities in Enterprise Applications

Related: Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights