Security consultant finds more than 100 Jenkins plugins have security flaws

An NCC Group security consultant has discovered more than 100 Jenkins plugins have security flaws, zdnet writes. Viktor Gazdag discovered the vulnerabilities over the span of 18 months, and although he contacted the developers behind the plugins, many of them have not been fixed. According to Gazdag, it is likely many of those plugins have been since abandoned by their creators, leaving no one to introduce changes. 

Jenkins is an open-source automation server used by developer teams to run automated tests and offers continuous integration and deployment of new products. This Java-coded server is favoured by the enterprise sector. However, many of the plugins devs can use are open-source products created by third parties.

Gazdag found that many of the unpatched Jenkins plugins did not use Jenkins’ credentials.xml file. Instead, they stored unencrypted passwords in cleartext. Moreover, some also had Cross-Site Request Forgery flaws. These allow threat actors to send credentials to their server by utilising plugins' "connection test" functions. Server-Side Request Forgery flaws, on the other hand, allowed hackers to “port-scan and map companies' internal networks.”

According to Gazdag, these vulnerabilities can be used for recon operations and targeted attacks rather than automated attacks.