Jenkins is the most popular open-source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands of active installations worldwide with more than 1 million users.
The security team at Jenkins, disclosed 34 security flaws affecting 29 plugins for the Jenkins automation server, 29 of these issues are yet to be patched.
The advisory published by Jenkins discloses vulnerabilities in the following deliverables:
The severity of the flaws ranges from low to high, and at the time of publication of the advisory, the following plugins are yet to be fixed:
The list of unpatched vulnerabilities includes XSS, Cross-Site Request Forgery (CSRF), missing or incorrect permission checks, along with passwords, API keys, and tokens stored in plain text.
The addressed issues were patched with the release of:
(SecurityAffairs – hacking)