heise PlusAbo
Anzeige

Software development tool Jenkins closes several security gaps

The developers are patching seven security vulnerabilities in the software development tool Jenkins. Most of them are considered high-risk.

listen Print view
A circle-arrow on which a person clicks with a finger.

(Image: Shutterstock/chanpipat)

2 min. read
Security
By

The updated version of the open source software Jenkins seals several security vulnerabilities. The developers classify most of these as high-risk.

Jenkins is a web-based software development tool with numerous plug-ins that automates recurring tasks such as the software build process and allows functions to be combined with APIs and libraries.

High-risk security vulnerabilities in Jenkins plug-ins

In a security announcement, the Jenkins developers write that security vulnerabilities have been discovered in a total of seven plug-ins. Of these, they classify six as high risk and one as medium risk.

Videos by heise

The vulnerabilities can be found in the following Jenkins plug-ins:

  • Security bypass in Shared Library Version Override plugin, CVE-2024-52554, risk"high"
  • XXE vulnerability in IvyTrigger plugin, CVE-2022-46751, high
  • Insufficient session validation allows admin access with social engineering in OpenId Connect Authentication Plugin, CVE-2024-52553, high
  • Cross-site scripting vulnerability in Authorize Project Plugin, CVE-2024-52552, high
  • Missing check of a rebuild permission in Pipeline: Declarative Plugin, CVE-2024-52551, high
  • Missing check of a rebuild permission in Pipeline: Groovy Plugin, CVE-2024-52550, high
  • Missing permission check in Script Security Plugin, CVE-2024-52549, medium

The project participants write that the updates to the versions

  • Authorize Project Plugin 1.8.0
  • IvyTrigger Plugin 1.02
  • OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_
  • Pipeline: Declarative Plugin 2.2218.v56d0cda_37c72
  • Pipeline: Groovy Plugin 3993.v3e20a_37282f8
  • Script Security Plugin 1368.vb_b_402e3547e7
  • Shared Library Version Override Plugin 19.v3a_c975738d4a_

to fix the vulnerabilities. Admins should apply the updates promptly to minimize the attack surface.

Read also

In August, cybercriminals actively attacked vulnerabilities in Jenkins servers. The US cyber security authority CISA had issued a warning about this. As Jenkins is obviously an interesting target for online criminals, IT managers should quickly update their Jenkins instances to the latest version.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten