News

In more than hounded of Jenkins’ plugins are discovered vulnerabilities

Great number of plugins for open instrument of uninterrupted integration by Jenkins software contain different bugs and vulnerabilities.

Vulnerabilities mainly connected with storing of passwords in non-encrypted form. Additionally, in Jenkins’ soft found CSRF-bugs that allow steaking credentials and committing CSRF-attacks.

Viktor Gazdag, specialist of NCC Group that tested great number of Jenkins’ plugins, revealed these problems.

“These tests resulted in more than 100 plugins found vulnerable and several coordinated and responsible public disclosures”, — reports researcher.

As expert explained, though Jenkins encrypts passwords in credentials.xml file, some developers use other methods of data storage. In the majority of cases these decisions do not suggest are encryption. Moreover, some web-forms, where users input credentials, enable leakage of passwords or secret tokens.

Web form shows no sign of clear text password

CSRF-vulnerabilities are connected with plugins’ functions, with the use of which users can check credentials and connect to a server. They mostly exist, as developers do not apply POST-requests that prevent attacks with the use of CSRF token.

In the last two years, Jenkins developers released several notifications that describe vulnerabilities in different plugins, including series of bugs, discovered by Gazdag.

Vulnerable plugins interact with a wide circle of services, including Twitter, AWS, VMware and Azure. In most cases software was created by side developers that is not connected to vendor, whose software exploits plugin.

As noted, authors of several plugins have already fixed bugs in their software, though many are still vulnerable. In their turn, Jenkins developers published a vast list of plugins that still are not fixed.

Jenkins — is an open source tool supporting building, deploying and automating software development and delivery, and can be extended by plugins to introduce additional functionalities like Active Directory authentication, or solve reoccurring tasks such as executing a static code analyser or copying a compiled software to a CIFS share. Similar to WordPress, the core framework is extended by hundreds of plugins; where most of these plugins are developed by 3rd party developers and it is up to them how securely they write them.

Source: https://www.nccgroup.trust

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Himalayaview.top Pop-up Ads

About Himalayaview.top Himalayaview.top pop-ups can not launch out of the blue. If you have actually…

9 hours ago

Remove Youdilgad.top Pop-up Ads

About Youdilgad.top Youdilgad.top pop-ups can not expose out of the blue. If you have clicked…

9 hours ago

Remove Alkads.com Pop-up Ads

About Alkads.com Alkads.com pop-ups can not launch out of the blue. If you have clicked…

9 hours ago

Remove Bigamirt.xyz Pop-up Ads

About Bigamirt.xyz Bigamirt.xyz pop-ups can not launch out of nowhere. If you have clicked some…

9 hours ago

Remove Micorban.xyz Pop-up Ads

About Micorban.xyz Micorban.xyz pop-ups can not open out of the blue. If you have actually…

9 hours ago

Remove Msdefender.co.in Pop-up Ads

About Msdefender.co.in Msdefender.co.in pop-ups can not expose out of the blue. If you have actually…

2 days ago