Security add-on with nearly 250,000 installations included in patch list
The maintainers of the Jenkins project have issued a security advisory that highlights vulnerabilities in more than 20 plugins for the open source automation server.
DevOps teams are urged to check the advisory to ensure their continuous integration pipelines are not impacted by any of the flaws, and update their builds where necessary.
Among the list of now-patched bugs is a sandbox bypass vulnerability impacting the Script Security Plugin, which has nearly 250,000 active installations.
Zero-days, but no need to panic
The latest Jenkins security advisory lists three unpatched flaws impacting the CryptoMove Plugin, Literate Plugin, and Subversion Release Manager Plugin.
For CryptoMove, an OS command injection bug could allow a user with Job/Configure permission to execute arbitrary code on the Jenkins master.
And likewise for Literate, unpatched shortcomings in the YAML parser configuration could open the door to remote code execution.
The Subversion Release Manager Plugin, meanwhile, contains a reflected XSS vulnerability that could be exploited by users with Job/Configure permission.
Fortunately, however, the installed base of these three plugins is incredibly low.
“In these specific cases… it’s unlikely that there are many teams affected,” Daniel Beck, Jenkins project security officer, told The Daily Swig.
“The Jenkins project gets anonymous usage statistics from more than a quarter million instances. Out of all of these, Literate Plugin is installed on 13 instances and CryptoMove Plugin on just one.”
Beck added: “Subversion Release Manager Plugin hasn’t been distributed by the Jenkins project since 2017, and usage statistics indicate it was used on just around 1% of instances even back then.
“As you can see, even plugins with very low adoption numbers are treated with diligence in the Jenkins security process.”
Jenkins is an open source automation server that helps developers build, test, and navigate their builds.
The DevOps platform is used by a reported 15 million developers around the world.