On Thursday, the Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open-source automation server. 29 of these bugs are zero-days still waiting to be patched. Jenkins is a highly popular platform with support for over 1,700 plugins and is used by enterprises worldwide for building, testing, and deploying software. The zero-days’ CVSS base scores range from low to high severity and according to Jenkins’ stats, the impacted plugins have a total of more than 22,000 installs. The complete list of flaws yet to be patched includes XSS, Stored XSS, Cross-Site Request Forgery (CSRF) bugs, missing or incorrect permission checks, passwords, secrets, API keys, and tokens stored in plain text.
Luckily, most of the high severity zero-days require user interaction to be exploited. Based on Shodan data, there are currently more than 144,000 Internet-exposed Jenkins servers that could be targeted in attacks if running an unpatched plugin. While the Jenkins team has patched four of the plugins (i.e., GitLab, requests-plugin, TestNG Results, XebiaLabs XL Release), there’s still a long list of vulnerable ones. While none of the vulnerabilities are of critical severity, they could be targeted in attacks against enterprise networks. This wouldn’t be the first time, as unpatched Jenkins servers have been compromised before to mine Monero cryptocurrency. However, potential attackers would more likely exploit these zero-days in reconnaissance attacks, allowing them to gain more insight into a targeted company’s infrastructure.
“As of the publication of this advisory, there is no fix,” the Jenkins security team said when describing the unpatched vulnerabilities. Users of Jenkins systems are advised to continually check for new updates to the software and enable auto-update if available.