By David Fiser (Senior Cyber Threat Researcher)
Jenkins is a widely used open-source automation server that allows DevOps developers to build, test, and deploy software efficiently and reliably. In order to make the most out of Jenkins’ modular architecture, developers make use of plugins that help extend its core features, allowing them to expand the scripting capabilities of build steps. As of writing, there are over 1,600 community-contributed plugins in Jenkins’ Plugins Index. Some of these plugins store unencrypted plain text credentials. In case of a data breach, these can be accessed by cybercriminals without the organization’s knowledge.
On July 11 and August 7, Jenkins published security advisories that included problems associated with plain-text-stored credentials. For this blog, we will specifically discuss the ones that take advantage of the following information exposure vulnerabilities and the corresponding plugins affected:
Table 1. Information exposure vulnerabilities in Jenkins plugins
It should be noted that, as of writing, the vulnerabilities in the Port Allocator, TestLink, and Caliper CI plugins have not been fixed. The current version of the eggPlant plugin has been deemed deprecated and is not safe to use.
Access to stored credentials
Vulnerabilities that affect Jenkins plugins can be exploited to siphon off sensitive user credentials. When credentials for users with Extended Read permissions or access to the master file system are leaked, an attacker may get access to other integrated services as well — especially if users use the same passwords for different platforms or services.
The plugins configuration is usual ..
Support the originator by clicking the read the rest link below.
