Jenkins security: Unpatched XSS, CSRF bugs included in latest plugin advisory
Reading Time: 3 Minutes
Open source DevOps platform Jenkins is warning users of unpatched security vulnerabilities impacting more than a dozen plugins.
A leading open source automation server, Jenkins provides thousands of plugins to support building, deploying, and automating projects.
The organization’s latest security advisory lists a total of 27 plugin vulnerabilities, five of which were deemed to be ‘high’ impact and the majority of which remain unpatched.
See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course
High five
First on the list of high impact bugs – all of which were unfixed at the time of writing – is a cross-site request forgery (CSRF) vulnerability in the Coverity plugin (CVE-2022-36920).
It was found that the plugin fails to perform a permission check in an HTTP endpoint. In addition, this HTTP endpoint does not require POST requests, opening the door to CSRF attacks.
Meanwhile, an arbitrary file write vulnerability in the CLIF Performance Testing Plugin (CVE-2022-36894) allows attackers with ‘Overall/Read’ permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.
Stored cross-site scripting (XSS) flaws were also discovered in the Dynamic Extended Choice Parameter plugin (CVE-2022-36902) and Maven Metadata plugin (CVE-2022-36905), along with a reflected XSS vulnerability in the Lucene-Search plugin (CVE-2022-36922).
Getting the word out
Of the 27 plugin vulnerabilities listed in the latest Jenkins security advisory, 18 remained unpatched and are effectively zero-days.
Discussing the team’s decision to disclose these issues to the community in lieu of any fixes, Jenkins security officer Wadeck Follonier told The Daily Swig: “The main objective of the Jenkins security team is to ensure the Jenkins plugin ecosystem is as secure as possible.
“With a plugin ecosystem as big as ours, it isn’t a surprise that not every plugin is maintained all the time, and maintainers sometimes cannot be contacted, do not respond, or tell us they’re no longer able to maintain the plugin.
“In those cases, we analyze the vulnerability in depth, write up a detailed description, and announce it in a security advisory with other, fixed vulnerabilities.”
Follonier added: “We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem, as it allows administrators to carefully consider their continued use of the affected plugin.
“Besides the Jenkins Advisories mailing list and our social channels, we inform administrators about vulnerabilities affecting their Jenkins instance directly on the UI immediately after publishing an advisory, so every Jenkins administrator gets informed about this.
“Our recommendation to Jenkins administrators is to read our security advisories to understand whether they’re impacted,” Follonier said. “A lot of vulnerabilities are irrelevant to instances with only a single administrator user that are inaccessible to others, for example.
“Of course, if they are unsure whether they are affected, the safest thing to do is to uninstall the plugin.”
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: portswigger.net
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
