"Jenkins Discloses Dozens of Zero-Day Bugs in Multiple Plugins"

The Jenkins security team has disclosed 34 security vulnerabilities impacting 29 plugins for the Jenkins open-source automation server, with all of them being zero-days remaining unpatched. Jenkins is a widely used platform, with support for more than 1,700 plugins, used by enterprises worldwide for software building, testing, and deployment. The CVSS base scores of the zero-days range from low to high severity, and the impacted plugins have over 22,000 installs, according to Jenkins statistics. The full list of flaws that have yet to be patched includes Cross Site Scripting (XSS), Stored XSS, Cross-Site Request Forgery (CSRF) bugs, missing or incorrect permission checks, as well as passwords, Application Programming Interface (API) keys, and tokens stored in plain text. Most of the high severity zero-days require user interaction to be exploited in low complexity attacks by remote attackers with low privileges. According to Shodan data, over 144,000 Jenkins servers are currently accessible via the Internet and could be the target of attacks if they are using unpatched plugins. This article continues to discuss the potential exploitation and impact of the zero-day bugs discovered in 29 plugins for the Jenkins open-source automation server. 

Bleeping Computer reports "Jenkins Discloses Dozens of Zero-Day Bugs in Multiple Plugins"