Multiple Critical Vulnerabilities Detected in Jenkins

Multiple Critical Vulnerabilities Detected in Jenkins
BRANDEFENSE
Security News
04/07/2022

Last updated on August 9th, 2022 at 02:19 am

Multiple vulnerabilities have been detected in Jenkins – an open-source software developed with Java to automate the Continuous Integration process – allowing threat actors to perform XSS and CSRF attacks. Jenkins continually develops and tests software projects, making it easy for developers to integrate changes into the project.

Details of the vulnerabilities rated as critical are given below;

  • The vulnerability, tracked as CVE-2022-34784, is a cross-site scripting (XSS) vulnerability that affects the build-metrics plugin used by Jenkins and can be exploited by threat actors with build/update permissions.
  • CVE-2022-34787 is a cross-site scripting (XSS) vulnerability found in the Project Inheritance plugin used by Jenkins.
  • CVE-2022-34788 is a cross-site scripting (XSS) execution vulnerability found in the Matrix Reloaded plugin used by Jenkins.
  • CVE-2022-34790 is a cross-site scripting (XSS) vulnerability found in the eXtreme Feedback Panel plugin used by Jenkins.
  • The vulnerability tracked as CVE-2022-34792 is found in the Recipe plugin used by Jenkins and allows threat actors to perform cross-site request forgery (CSRF) and XXE (XML External Entity) injection attacks on the affected system.
  • The vulnerability tracked as CVE-2022-34791 resides in the Email Parameter plugin used by Jenkins and allows threat actors to perform cross-site scripting (XSS) attacks on affected installations.
  • CVE-2022-34783 is a cross-site scripting (XSS) vulnerability found in the Plot plugin used by Jenkins.
  • CVE-2022-34777 is a stored cross-site scripting (XSS) vulnerability found in the GitLab plugin used by Jenkins.
  • CVE-2022-34786 is a cross-site scripting (XSS) vulnerability found in the Rich Text Publisher plugin used by Jenkins.
  • CVE-2022-34778 is a cross-site scripting (XSS) vulnerability found in the TestNG Results plugin used by Jenkins.
  • CVE-2022-34795 is a stored cross-site scripting (XSS) vulnerability found in the Deployment Dashboard plugin used by Jenkins.

An update that fixes the security vulnerabilities detected in these Jenkins plugins has not been released yet. Successful exploitation of vulnerabilities can allow remote threat actors to obtain sensitive information, change the web page’s appearance, and carry out phishing attacks. In this context, it is recommended to follow the updates that fix the vulnerabilities and apply them immediately if they are published.

CVE-2022-34777 CVE-2022-34778 CVE-2022-34783 CVE-2022-34784 CVE-2022-34786 CVE-2022-34787 CVE-2022-34788 CVE-2022-34790 CVE-2022-34791 CVE-2022-34792 CVE-2022-34795 Jenkins
Related Posts
Close
Search

Hit enter to search or ESC to close