Jenkins Releases Critical Updates to Fix High-Risk Plugin Vulnerabilities

November 15, 2024

In a critical move to address several significant security vulnerabilities, the developers of Jenkins, a widely-used web-based software development tool, have released a new version that targets flaws in seven different plugins, prioritizing both system integrity and user safety. These plugins include crucial components such as Shared Library Version Override, IvyTrigger, OpenId Connect Authentication, Authorize Project, Pipeline: Declarative, Pipeline: Groovy, and Script Security, which altogether demanded immediate attention due to their susceptibility to high-risk and medium-risk exploits. The updated version aims to remediate these vulnerabilities, ensuring tighter security and safer automation environments for developers utilizing Jenkins.

The vulnerabilities addressed in the recent update encompass a range of critical security issues. One of the most severe is a security bypass in the Shared Library Version Override Plugin, potentially allowing unauthorized users to manipulate shared library versions, compromising the integrity of the build process. In the IvyTrigger Plugin, an XXE (XML External Entity) vulnerability was identified, posing risks of unauthorized data access or injection attacks. Additionally, improper session validation in the OpenId Connect Authentication Plugin could enable attackers to hijack authentication sessions, leading to unauthorized access.

A cross-site scripting issue plaguing the Authorize Project Plugin presented high risks for web-based attacks, threatening to execute malicious scripts in the user’s web browser. The Pipeline: Declarative and Pipeline: Groovy Plugins shared a common flaw involving missing rebuild permission checks, which if left unpatched, could permit unauthorized code execution. Lastly, the Script Security Plugin suffered from missing permission checks, compromising the script execution environment. The developers have released updated versions—such as Authorize Project Plugin 1.8.0 and IvyTrigger Plugin 1.0.2—geared towards eliminating these security risks.

Administrator Actions and Previous Exploits

In a significant move to tackle multiple critical security vulnerabilities, the developers of Jenkins, a popular web-based software development tool, have rolled out a new version aimed at addressing flaws in seven different plugins. These include Shared Library Version Override, IvyTrigger, OpenId Connect Authentication, Authorize Project, Pipeline: Declarative, Pipeline: Groovy, and Script Security. The update prioritizes system integrity and user safety due to high-risk and medium-risk exploit potentials. This version promises enhanced security and a safer automation environment for developers using Jenkins.

The vulnerabilities patched in the latest release cover various severe security issues. One of the most critical is a security bypass in the Shared Library Version Override Plugin, which could allow unauthorized users to manipulate shared library versions, undermining the build process’s integrity. The IvyTrigger Plugin had an XXE (XML External Entity) vulnerability that risked unauthorized data access or injection attacks. Additionally, the OpenId Connect Authentication Plugin suffered from improper session validation, potentially enabling the hijacking of authentication sessions.

A cross-site scripting vulnerability in the Authorize Project Plugin posed high risks for web-based attacks, such as executing malicious scripts in the user’s browser. Both Pipeline: Declarative and Pipeline: Groovy Plugins had flaws due to missing rebuild permission checks, allowing unauthorized code execution if left unaddressed. Lastly, missing permission checks in the Script Security Plugin compromised the script execution environment. Updated versions like Authorize Project Plugin 1.8.0 and IvyTrigger Plugin 1.0.2 have been released to mitigate these severe security threats.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later