The open source automation tool Jenkins is used in many software development environments. Attackers could use several vulnerabilities to gain access to systems. Not all security updates have been released yet.
Dangerous vulnerabilities
The developers list the vulnerable plug-ins in a warning message. These include Ansible, Email Extension and SAML Single Sign On. Eight gaps are with the threat level “hoch” classified.
Attackers could be responsible for a persistent XSS attack on Job Plug-in (CVE-2023-32977 “hoch“) oder TestNG Results (CVE-2023-32984 “hoch“). A vulnerability in File Parameter Plug-in (CVE-2023-32986 “hoch“) allows attackers to manipulate files.
Errors in authentication via SAML Single Sign On can, among other things, lead to attackers acting as man-in-the-middle and eavesdropping (CVE-2023-32993″middle“, CVE-2023-32994 “middle“).
About a vulnerability (CVE-2023-33001 “middle“) in HashiCorp Vault Plugin can leak credentials. Under certain conditions, credentials are not masked sufficiently in the build log. However, no security update is available yet.
The developers are currently not explaining how attackers could exploit the security gaps.
Waiting for patches
Security updates have already been released for most of the gaps. Patches have not yet been announced for the following plug-ins. It is not yet known if and when any will appear.
HashiCorp Vault PluginLoadComplete support PluginTag Profiler PluginTestComplete support PluginWSO2 Oauth Plugin
(of the)
To home page
