‘We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem’

Jenkins security - Unpatched XSS, CSRF bugs included in latest plugin advisory

Open source DevOps platform Jenkins is warning users of unpatched security vulnerabilities impacting more than a dozen plugins.

A leading open source automation server, Jenkins provides thousands of plugins to support building, deploying, and automating projects.

The organization’s latest security advisory lists a total of 27 plugin vulnerabilities, five of which were deemed to be ‘high’ impact and the majority of which remain unpatched.

High five

First on the list of high impact bugs – all of which were unfixed at the time of writing – is a cross-site request forgery (CSRF) vulnerability in the Coverity plugin (CVE-2022-36920).

It was found that the plugin fails to perform a permission check in an HTTP endpoint. In addition, this HTTP endpoint does not require POST requests, opening the door to CSRF attacks.

YOU MIGHT ALSO LIKE CompleteFTP path traversal flaw allowed attackers to delete server files

Meanwhile, an arbitrary file write vulnerability in the CLIF Performance Testing Plugin (CVE-2022-36894) allows attackers with ‘Overall/Read’ permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Stored cross-site scripting (XSS) flaws were also discovered in the Dynamic Extended Choice Parameter plugin (CVE-2022-36902) and Maven Metadata plugin (CVE-2022-36905), along with a reflected XSS vulnerability in the Lucene-Search plugin (CVE-2022-36922).

Getting the word out

Of the 27 plugin vulnerabilities listed in the latest Jenkins security advisory, 18 remained unpatched and are effectively zero-days.

Discussing the team’s decision to disclose these issues to the community in lieu of any fixes, Jenkins security officer Wadeck Follonier told The Daily Swig: “The main objective of the Jenkins security team is to ensure the Jenkins plugin ecosystem is as secure as possible.

“With a plugin ecosystem as big as ours, it isn’t a surprise that not every plugin is maintained all the time, and maintainers sometimes cannot be contacted, do not respond, or tell us they’re no longer able to maintain the plugin.

“In those cases, we analyze the vulnerability in depth, write up a detailed description, and announce it in a security advisory with other, fixed vulnerabilities.”

Read more about the latest security vulnerabilities

Follonier added: “We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem, as it allows administrators to carefully consider their continued use of the affected plugin.

“Besides the Jenkins Advisories mailing list and our social channels, we inform administrators about vulnerabilities affecting their Jenkins instance directly on the UI immediately after publishing an advisory, so every Jenkins administrator gets informed about this.

“Our recommendation to Jenkins administrators is to read our security advisories to understand whether they’re impacted,” Follonier said. “A lot of vulnerabilities are irrelevant to instances with only a single administrator user that are inaccessible to others, for example.

“Of course, if they are unsure whether they are affected, the safest thing to do is to uninstall the plugin.”

RECOMMENDED Trio of XSS bugs in open source web apps could lead to complete system compromise