Multiple vulnerabilities have been detected in Jenkins – an open-source software developed with Java to automate the Continuous Integration process – allowing threat actors to perform XSS and CSRF attacks. Jenkins continually develops and tests software projects, making it easy for developers to integrate changes into the project.
Details of the vulnerabilities rated as critical are given below;
- The vulnerability, tracked as CVE-2022-34784, is a cross-site scripting (XSS) vulnerability that affects the build-metrics plugin used by Jenkins and can be exploited by threat actors with build/update permissions.
- CVE-2022-34787 is a cross-site scripting (XSS) vulnerability found in the Project Inheritance plugin used by Jenkins.
- CVE-2022-34788 is a cross-site scripting (XSS) execution vulnerability found in the Matrix Reloaded plugin used by Jenkins.
- CVE-2022-34790 is a cross-site scripting (XSS) vulnerability found in the eXtreme Feedback Panel plugin used by Jenkins.
- The vulnerability tracked as CVE-2022-34792 is found in the Recipe plugin used by Jenkins and allows threat actors to perform cross-site request forgery (CSRF) and XXE (XML External Entity) injection attacks on the affected system.
- The vulnerability tracked as CVE-2022-34791 resides in the Email Parameter plugin used by Jenkins and allows threat actors to perform cross-site scripting (XSS) attacks on affected installations.
- CVE-2022-34783 is a cross-site scripting (XSS) vulnerability found in the Plot plugin used by Jenkins.
- CVE-2022-34777 is a stored cross-site scripting (XSS) vulnerability found in the GitLab plugin used by Jenkins.
- CVE-2022-34786 is a cross-site scripting (XSS) vulnerability found in the Rich Text Publisher plugin used by Jenkins.
- CVE-2022-34778 is a cross-site scripting (XSS) vulnerability found in the TestNG Results plugin used by Jenkins.
- CVE-2022-34795 is a stored cross-site scripting (XSS) vulnerability found in the Deployment Dashboard plugin used by Jenkins.
An update that fixes the security vulnerabilities detected in these Jenkins plugins has not been released yet. Successful exploitation of vulnerabilities can allow remote threat actors to obtain sensitive information, change the web page’s appearance, and carry out phishing attacks. In this context, it is recommended to follow the updates that fix the vulnerabilities and apply them immediately if they are published.