"Jenkins Patches High-Severity Vulnerabilities in Multiple Plugins"

Open source software development automation server Jenkins recently announced patches for high and medium severity vulnerabilities impacting multiple plugins.  The patches address three high severity cross-site request forgery (CSRF) and cross-site scripting (XSS) issues in the Folders, Flaky Test Handler, and Shortcut Job plugins.  Jenkins noted that the first bug, tracked as CVE-2023-40336, exists because no POST requests were required for an HTTP endpoint in version 6.846.v23698686f0f6 and earlier of the Folders plugin, leading to CSRF.  This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts.  The second high severity bug, CVE-2023-40342, impacts Flaky Test Handler plugin versions 1.2.2 and earlier, which do not escape JUnit test contents when they are displayed in the Jenkins UI, allowing attackers to perform XSS attacks.  Jenkins noted that Shortcut Job plugin versions 0.4 and earlier do not escape the shortcut redirection URL, leading to an XSS flaw tracked as CVE-2023-40346.  Another high severity XSS flaw was identified in Docker Swarm plugin versions 1.11 and earlier, which do not escape values returned from Docker before they are inserted into the Docker Swarm Dashboard view.  However, no patch was released for this bug.  Jenkins also recently announced fixes for medium-severity vulnerabilities in the Folders, Config File Provider, NodeJS, Blue Ocean, Fortify, and Delphix plugins.  According to Jenkins, these flaws could lead to information disclosure, credential leaks, CSRF attacks, HTML injection, and credential ID enumeration.  Fixes were included in Blue Ocean version 1.27.5.1, Config File Provider version 953.v0432a_802e4d2, Delphix version 3.0.3, Flaky Test Handler version 1.2.3, Folders version 6.848.ve3b_fd7839a_81, Fortify version 22.2.39, NodeJS version 1.6.0.1, and Shortcut Job version 0.5.  Additionally, Jenkins warned that no patches have been released for three medium severity flaws in the Maven Artifact ChoiceListProvider (Nexus), Gogs, and Favorite View plugins that could lead to credential exposure, information disclosure, and CSRF attacks.

 

SecurityWeek reports: "Jenkins Patches High-Severity Vulnerabilities in Multiple Plugins"

Submitted by Anonymous on