CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Vulnerabilities Found in Over 100 Jenkins Plugins

A researcher has discovered vulnerabilities in more than 100 plugins designed for the Jenkins open source software development automation server and many of them have yet to be patched.

A researcher has discovered vulnerabilities in more than 100 plugins designed for the Jenkins open source software development automation server and many of them have yet to be patched.

NCC Group Security Consultant Viktor Gazdag has manually tested hundreds of plugins that extend Jenkins’ functionality and identified vulnerabilities in over 100 of them. The flaws are mostly related to storing passwords in plain text, and cross-site request forgery (CSRF) issues with missing permission checks that can allow hackers to steal credentials and launch server-side request forgery (CSRF) attacks.

Vulnerabilities in Jenkins plugins“Although Jenkins encrypts the passwords in the credentials.xml file, some of the plugin developers made use of other ways to store the credentials in the plugin’s own .xml file or in the job’s config.xml file. In the majority of cases these solutions did not involve any encryption. In addition, sometimes the web form where the user submits the credentials revealed the password or the secret token and did not use the correct Jelly form control,” Gazdag explained in a blog post published on Thursday.

“This could be problematic because the default installation (either it was a Docker container image or was installed by a package manager) had the default permission, which was world-readable on the credentials.xml, the plugin’s own global configuration xml file and for each of the jobs’ config.xml. It is worth mentioning that a lot of Jenkins hacking tutorials only mention the credentials.xml file and do not discuss the other two files. Not to mention that the workspace folder could temporarily store some juicy information as well,” he added.

As for the CSRF issues, they are related to functions in the plugins that allow users to test credentials and connect to a server. The CSRF flaws are introduced due to the fact that plugin developers have failed to enforce POST requests, which prevent attacks by using a CSRF token.

The vulnerabilities and the affected plugins are described by Jenkins developers across several advisories published in the past two years, including an advisory released in early April that describes the flaws found in roughly 60 plugins. The advisories show that the security holes found by Gazdag have been assigned “low” and “medium” severity ratings.

The impacted plugins interact with a wide range of services, including Twitter, AWS, VMware and Azure. In most cases, these plugins have been created by third-party developers that have no affiliation to the vendor whose software is used by the plugin.

In some cases, the developers of the affected plugins appear to have released patches since Jenkins developers released advisories, but many remain vulnerable.

Jenkins developers have released advisories for unpatched vulnerabilities to allow administrators to decide for themselves if they still want to use the insecure plugins.

Advertisement. Scroll to continue reading.

“The Jenkins security team triages incoming reports both to Jira and our non-public mailing list. Once we’ve determined it is a plugin not maintained by any Jenkins security team members, we try to inform the plugin maintainer about the issue, offering our help in developing, reviewing, and publishing any fixes. Sometimes the affected plugin is unmaintained, or maintainers don’t respond in a timely manner to the notifications or the followup emails we send,” explained Daniel Beck, a Jenkins core maintainer and head of the Jenkins security team.

Related: Misconfigured Jenkins Servers Leak Sensitive Data

Related: Critical Flaw Patched in Jenkins Automation Server

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.