U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Expert found hundred of vulnerable Jenkins Plugins

A security researcher discovered vulnerabilities in more than 100 plugins of the Jenkins open source software development automation server. Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations […]

Jenkins open source automation server

A security researcher discovered vulnerabilities in more than 100
plugins of the Jenkins open source software development automation server.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.

Viktor Gazdag NCC Group Security Consultant has manually tested hundreds of Jenkins plugins and discovered security flaws in over 100 of them.

Jenkins plugins allow to implement additional functionalities like Active Directory authentication, or solve reoccurring tasks such as executing a static code analyser or copying a compiled software to a CIFS share.

Jenkins plugins

Most of the issues are password storage in plain text, and cross-site request forgery (CSRF) issues with missing permission checks that could be exploited by attackers steal credentials.

“Although Jenkins encrypts the passwords in the credentials.xml file, some of the plugin developers made use of other ways to store the credentials in the plugin’s own .xml file or in the job’s config.xml file. In the majority of cases these solutions did not involve any encryption.” reads the analysis published by Gazdag.

“In addition, sometimes the web form where the user submits the credentials revealed the password or the secret token and did not use the correct Jelly form control,”

The expert pointed out that the default installation had the default permission readable on the credentials.xml file, which is the plugin’s global configuration xml file, and in each of the jobs’ config.xml.

“It is worth mentioning that a lot of Jenkins hacking tutorials only mention the credentials.xml file and do not discuss the other two files.”
he added. “Not to mention that the workspace folder could temporarily store some juicy information as well,”

The expert discovered that the CSRF flaws are related to functions implemented in the Jenkins plugins to allow users to test credentials and connect to a server.

These developers of test functions failed to implement an authorization mechanism based on user roles (require Overall/Administer permission) and to enforce POST requests, which will always require a CSRF token called Crumb.

Some of the vulnerable Jenkins plugins have been developed by third-party developers to access a wide range of services, including Twitter, AWS, and Azure.

Jenkins developers have released security advisories for unpatched vulnerabilities.

“Developers can prevent CSRF by enforcing POST requests and checking permissions with Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER). For safer credential storing use Jenkins’ Secret and password field in the web form.” concludes the expert.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Jenkins plugins, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]