Jenkins, the open source software development automation server, has announced patches for several high- and medium-severity vulnerabilities impacting multiple plugins. The patches aim to address three high-severity cross-site request forgery (CSRF) and cross-site scripting (XSS) issues in the Folders, Flaky Test Handler, and Shortcut Job plugins.
The first vulnerability, tracked as CVE-2023-40336, exists in the Folders plugin version 6.846.v23698686f0f6 and earlier. This bug allows attackers to copy an item, potentially automatically approving unsandboxed and unsafe scripts.
The second high-severity bug, CVE-2023-40342, affects Flaky Test Handler plugin versions 1.2.2 and earlier. These versions do not escape JUnit test contents when displayed in the Jenkins UI, enabling attackers to carry out XSS attacks.
In addition, Shortcut Job plugin versions 0.4 and earlier suffer from an XSS flaw (CVE-2023-40346) due to the absence of escaped shortcut redirection URLs.
Furthermore, Docker Swarm plugin versions 1.11 and earlier were found to have a high-severity XSS vulnerability. However, no patch has been released for this particular bug.
Jenkins has also announced fixes for several medium-severity vulnerabilities in plugins such as Folders, Config File Provider, NodeJS, Blue Ocean, Fortify, and Delphix. These vulnerabilities could lead to information disclosure, credential leaks, CSRF attacks, HTML injection, and credential ID enumeration.
Fixes for these medium-severity vulnerabilities were included in various plugin versions, including Blue Ocean 220.127.116.11, Config File Provider 953.v0432a_802e4d2, Delphix 3.0.3, Flaky Test Handler 1.2.3, Folders 6.848.ve3b_fd7839a_81, Fortify 22.2.39, NodeJS 18.104.22.168, and Shortcut Job 0.5.
However, Jenkins warned that three medium-severity flaws in the Maven Artifact ChoiceListProvider (Nexus), Gogs, and Favorite View plugins have not yet received patches. These vulnerabilities could result in credential exposure, information disclosure, and CSRF attacks.
To address a low-severity vulnerability that allowed attackers to obtain a valid authentication token, the Tuleap Authentication plugin was updated to version 1.1.21.
In related news, Jenkins has previously faced vulnerabilities that could potentially lead to remote code execution. Other companies, such as Cisco and Ivanti, have also addressed high-severity vulnerabilities in their enterprise applications.