Jenkins

On Thursday, the Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server, 29 of the bugs being zero-days still waiting to be patched.

Jenkins is a highly popular platform (with support for over 1,700 plugins) used by enterprises worldwide for building, testing, and deploying software.

The zero-days' CVSS base scores range from low to high severity, and, according to Jenkins' stats, the impacted plugins have a total of more than 22,000 installs.

The complete list of flaws yet to be patched includes XSS, Stored XSS, Cross-Site Request Forgery (CSRF) bugs, missing or incorrect permission checks, as well as passwords, secrets, API keys, and tokens stored in plain text.

Luckily, most of the dangerous ones, the high severity zero-days, require user interaction to be exploited in low complexity attacks by remote attackers with low privileges.

Based on Shodan data, there are currently more than 144,000 Internet-exposed Jenkins servers that could be targeted in attacks if running an unpatched plugin.

Internet-exposed Jenkins servers
Internet-exposed Jenkins servers (Shodan)

While the Jenkins team has patched four of the plugins (i.e., GitLab, requests-plugin, TestNG Results, XebiaLabs XL Release), there's still a long list of vulnerable ones, including:

  • Build Notifications Plugin up to and including 1.5.0
  • build-metrics Plugin up to and including 1.3
  • Cisco Spark Plugin up to and including 1.1.1
  • Deployment Dashboard Plugin up to and including 1.0.10
  • Elasticsearch Query Plugin up to and including 1.2
  • eXtreme Feedback Panel Plugin up to and including 2.0.1
  • Failed Job Deactivator Plugin up to and including 1.2.1
  • GitLab Plugin up to and including 1.5.34
  • HPE Network Virtualization Plugin up to and including 1.0
  • Jigomerge Plugin up to and including 0.9
  • Matrix Reloaded Plugin up to and including 1.1.3
  • OpsGenie Plugin up to and including 1.9
  • Plot Plugin up to and including 2.1.10
  • Project Inheritance Plugin up to and including 21.04.03
  • Recipe Plugin up to and including 1.2
  • Request Rename Or Delete Plugin up to and including 1.1.0
  • requests-plugin Plugin up to and including 2.2.16
  • Rich Text Publisher Plugin up to and including 1.4
  • RocketChat Notifier Plugin up to and including 1.5.2
  • RQM Plugin up to and including 2.8
  • Skype notifier Plugin up to and including 1.1.0
  • TestNG Results Plugin up to and including 554.va4a552116332
  • Validating Email Parameter Plugin up to and including 1.10
  • XebiaLabs XL Release Plugin up to and including 22.0.0
  • XPath Configuration Viewer Plugin up to and including 1.1.1

"As of publication of this advisory, there is no fix," the Jenkins security team said when describing the unpatched vulnerabilities.

While none of the vulnerabilities are critical severity ones that could let threat actors execute code or commands remotely on vulnerable servers to take them over, they could be targeted in attacks against enterprise networks.

This wouldn't be the first time it has happened since unpatched Jenkins servers have been compromised before to mine Monero cryptocurrency.

However, potential attackers would more likely exploit these zero-days in reconnaissance attacks allowing them to gain more insight into a targeted company's infrastructure.

Related Articles:

Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware

AnyCubic fixes exploited 3D printer zero day flaw with new firmware

Apple fixes two new iOS zero-days exploited in attacks on iPhones

Lazarus hackers exploited Windows zero-day to gain Kernel privileges

Joomla fixes XSS flaws that could expose sites to RCE attacks