Security News > 2022 > June > Jenkins warns of security holes in these 25 plugins

Jenkins warns of security holes in these 25 plugins
2022-06-30 20:22

Jenkins, an open-source automation server for continuous integration and delivery, has published 34 security advisories covering 25 plugins used to extend the software.

The June 30 advisory follows a similar advisory from June 22, covering 28 plugins and Jenkins core software.

"These kinds of flaws are not uncommon - in past research at NCC Group, we've found vulnerabilities in over 100 Jenkins plugins," said Jennifer Fernick, SVP and global head of research at NCC Group, a security consultancy, in an email to The Register.

In a write-up earlier this year, NCC described ten attacks that compromised Jenkins and other CI/CD systems during security assessments for clients.

The security firm describes one attack involving a GitHub OAuth plugin that was deployed in Jenkins for authentication and authorization.

Because the plugin granted READ permissions to all authenticated users and the "Use GitHub repository permissions" option was checked to allow anyone with a GitHub account access the Jenkins web login interface, an NCC researcher was able to register and use a personal hosted email account to gain access to the client's projects.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/30/jenkins_plugins_security_advisories/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Jenkins 628 54 1091 358 70 1573