Jenkins discloses zero-day vulnerabilities affecting dozens of plugins

The leading open-source automation server, Jenkins, provides hundreds of plugins to support building, deploying and automating any project. The Jenkins project has a lot going on between core/plugin development, events and other open-source automation-related activities.

Are you vulnerable to Jenkins Plugins Zero Day?

Recently, Jenkins Security Team released an advisory dated 2022-06-30, disclosing 34 security vulnerabilities affecting 29 plugins for the Jenkins project, with four plugins patched as of date, while 25 remain still unpatched.

The 1800+ community-contributed plugins support building, deploying and automating any project.

This advisory announces vulnerabilities in the following Jenkins deliverables:

Affected Jenkins Plugins:

• Build Notifications Plugin up to and including 1.5.0
• build-metrics Plugin up to and including 1.3
• Cisco Spark Plugin up to and including 1.1.1
• Deployment Dashboard Plugin up to and including 1.0.10
• Elasticsearch Query Plugin up to and including 1.2
• eXtreme Feedback Panel Plugin up to and including 2.0.1
• Failed Job Deactivator Plugin up to and including 1.2.1
• GitLab Plugin up to and including 1.5.34
• HPE Network Virtualization Plugin up to and including 1.0
• Jigomerge Plugin up to and including 0.9
• Matrix Reloaded Plugin up to and including 1.1.3
• OpsGenie Plugin up to and including 1.9
• Plot Plugin up to and including 2.1.10
• Project Inheritance Plugin up to and including 21.04.03
• Recipe Plugin up to and including 1.2
• Request Rename Or Delete Plugin up to and including 1.1.0
• requests-plugin Plugin up to and including 2.2.16
• Rich Text Publisher Plugin up to and including 1.4
• RocketChat Notifier Plugin up to and including 1.5.2
• RQM Plugin up to and including 2.8
• Skype notifier Plugin up to and including 1.1.0
• TestNG Results Plugin up to and including 554.va4a552116332
• Validating Email Parameter Plugin up to and including 1.10
• XebiaLabs XL Release Plugin up to and including 22.0.0
• XPath Configuration Viewer Plugin up to and including 1.1.1

The flaws include missing or incorrect permission checks, passwords, secrets, API keys, and tokens stored in plain text, Stored XSS, Cross-Site Request Forgery (CSRF) allowing XML external entity (XXE) attacks, and XSS.

• Password stored in plain text by Jigomerge Plugin
• Password stored in plain text by Elasticsearch Query Plugin
• Token stored in plain text by Cisco Spark Plugin
• CSRF vulnerability and missing permission checks in Deployment Dashboard Plugin
• Stored XSS vulnerability in Deployment Dashboard Plugin
• Missing permission checks in Deployment Dashboard Plugin allow enumerating credentials IDs

As of the publication of this blog, no fixes are available for the plugins mentioned above.

According to the Common Vulnerability Scoring System CVSS, vulnerability scores range from low to high severity, with the impacted plugins having thousands of installations across the globe.

With most high-severity zero-days requiring user interaction to be exploited in low complexity attacks, a staggering 140,000+ Jenkin servers are exposed to the internet, which can become an attacker's target if running an unpatched plugin.

Mitigate Jenkins Plugins Zero Day

While 25 of the 29 plugins are still waiting to be patched, Jenkins Security Team has released patches for four of the major plugins:

• GitLab Plugin should be updated to version 1.5.35
• requests-plugin Plugin should be updated to version 2.2.17
• TestNG Results Plugin should be updated to version 555.va0d5f66521e3
• XebiaLabs XL Release Plugin should be updated to version 22.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered affected by these vulnerabilities unless otherwise indicated.

These vulnerabilities stand a good chance for initial access in reconnaissance attacks allowing them to gain more insight into a targeted company's infrastructure.

You can query Jenkins for available plugins and their version using this Groovy script. You can execute the script from your Jenkins instance's http://<jenkinsurl>/script page.

1Jenkins.instance.pluginManager.plugins.each{
2  plugin ->
3    println ("${plugin.getDisplayName()} (${plugin.getShortName()}): ${plugin.getVersion()}")
4}

Or you can also access this page on your Jenkins server dashboard for more details: http://<jenkinsurl>/pluginusage

References

• Official advisory from Jenkins
• Query plugins and versions