Software Creation: Some Jenkins plugins are secured, others are not
Development environments with certain plugins for Jenkins are vulnerable. Not all security patches have been released yet.
Attention software developers: Attackers could attack servers with the open source automation tool Jenkins if some plug-ins that have recently been classified as vulnerable are used.
Waiting for security updates
These are, for example, Android Signing, Git and Openstack Heat. The Jenkins developers have listed the complete list in a warning message. If you use Jenkins with plugins, you should take a close look at the list and check whether there are already security patches.
Some patches have already been released, but this has not yet been the case for things like Android Signing, Google Cloud Backup and Repository Connector. It is currently not known when the updates will follow. To be on the safe side, affected plug-ins should be temporarily deactivated or uninstalled.
Attacks with dangerous consequences
For the majority of the gaps, the threat level is “medium“. If attacks are successful, attackers could, among other things, access unauthorized data for manipulation or eavesdrop on connections as a man-in-the-middle.
Security patches are not yet available for these plug-ins:
- Android signing plugin
- Buckminster Plugin
- CLIF Performance Testing Plugin
- Coverity Plugin
- Dynamic extended choice parameter plugin
- Files Found Trigger Plugin
- Google cloud backup plugin
- HTTP request plugin
- Lucene Search Plugin
- Maven Metadata Plugin for Jenkins CI server Plugin
- OpenShift Deployer Plugin
- OpenStack Heat Plugin
- Repository Connector Plugin