Jenkins plugs 11 security holes with two updates
Zero-day vulnerability stoppered
Jenkins says it has fixed a range of security vulnerabilities in the open source integration tool with a brace of fresh releases.
Versions 1.638 and 1.625.2 of the open source integration tool hit the streets yesterday, presumably capping a frantic race to plug a zero-day vulnerability which surfaced last Friday.
That vulnerability left Jenkins exposed to an attack through the Jenkins CLI subsystem. The project advised users to disable or remove CLI support inside the running Jenkins server as a temporary workaround. The vuln was regarded as low risk.
The new updates fix this and ten more vulnerabilities. Three of these were listed as critical, including one which allowed “malicious users to circumvent CSRF protection by generating the correct token”.
The second critical flaw concerned a secret key flaw that allowed malicious users to connect as slaves, take over Jenkins and access private data. The third critical flaw centred on unsafe deserialization which allowed remote attackers to run arbitrary code on the Jenkins master.
On the remaining vulnerabilities, one was considered high, four were medium, and the remainder were low. ®