Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Jenkins security: Unpatched XSS, CSRF bugs included in latest plugin advisory

Open source DevOps platform Jenkins is warning users of unpatched security vulnerabilities impacting more than a dozen plugins.

A leading open source automation server, Jenkins provides thousands of plugins to support building, deploying, and automating projects.

The organization’s latest security advisory lists a total of 27 plugin vulnerabilities, five of which were deemed to be ‘high’ impact and the majority of which remain unpatched.

High five

First on the list of high impact bugs – all of which were unfixed at the time of writing – is a cross-site request forgery (CSRF) vulnerability in the Coverity plugin (CVE-2022-36920).

It was found that the plugin fails to perform a permission check in an HTTP endpoint. In addition, this HTTP endpoint does not require POST requests, opening the door to CSRF attacks.

Meanwhile, an arbitrary file write vulnerability in the CLIF Performance Testing Plugin (CVE-2022-36894) allows attackers with ‘Overall/Read’ permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Stored cross-site scripting (XSS) flaws were also discovered in the Dynamic Extended Choice Parameter plugin (CVE-2022-36902) and Maven Metadata plugin (CVE-2022-36905), along with a reflected XSS vulnerability in the Lucene-Search plugin (CVE-2022-36922).

Getting the word out

Of the 27 plugin vulnerabilities listed in the latest Jenkins security advisory, 18 remained unpatched and are effectively zero-days.

Discussing the team’s decision to disclose these issues to the community in lieu of any fixes, Jenkins security officer Wadeck Follonier told The Daily Swig: “The main objective of the Jenkins security team is to ensure the Jenkins plugin ecosystem is as secure as possible.

“With a plugin ecosystem as big as ours, it isn’t a surprise that not every plugin is maintained all the time, and maintainers sometimes cannot be contacted, do not respond, or tell us they’re no longer able to maintain the plugin.

“In those cases, we analyze the vulnerability in depth, write up a detailed description, and announce it in a security advisory with other, fixed vulnerabilities.”

Follonier added: “We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem, as it allows administrators to carefully consider their continued use of the affected plugin.

“Besides the Jenkins Advisories mailing list and our social channels, we inform administrators about vulnerabilities affecting their Jenkins instance directly on the UI immediately after publishing an advisory, so every Jenkins administrator gets informed about this.

“Our recommendation to Jenkins administrators is to read our security advisories to understand whether they’re impacted,” Follonier said. “A lot of vulnerabilities are irrelevant to instances with only a single administrator user that are inaccessible to others, for example.

“Of course, if they are unsure whether they are affected, the safest thing to do is to uninstall the plugin.”

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/jenkins-security-unpatched-xss-csrf-bugs-included-in-latest-plugin-advisory

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

A recently patched bug in the Chromium project could allow malicious actors to bypass a security feature that protects sensitive cookies on Android browsers....

Cyber Security

Gartner has patched a DOM XSS vulnerability found in the Peer Insights widget, a security bug researchers reckon dates back to the original development of the...

Cyber Security

XSS Hunter now has a home at Truffle Security, which has launched a new version of the tool after its original creator declared that he...

Cyber Security

Popular DevOps platform CircleCI has blamed an attack that successfully planted malware on an internal engineer’s laptop for a recent security breach. The attack, acknowledged on January...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO