Open source CI/CD automation tool Jenkins has released patches for multiple high- and medium-severity vulnerabilities in the server and several plugins.
Patches were rolled out for two medium-severity flaws in Jenkins, one leading to the exposure of multi-line secrets and another to creation restriction bypass.
The fist issue, tracked as CVE-2024-47803, exists because “Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field,” according to a Jenkins security bulletin.
This could lead to multi-line secrets being exposed on error messages present in system logs and was addressed in Jenkins versions 2.479 and LTS 2.462.3 by redacting those secrets.
Jenkins also announced patches for CVE-2024-47804, a bug affecting the item creation functionality of the software development automation server.
While Jenkins can be configured to prohibit the creation of specific item types, if the creation is attempted using the Jenkins CLI or the REST API and one of two specific checks fails, the item would be created in memory and deleted from the disk.
“This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it,” Jenkins explains, adding that the latest server iterations no longer retail the item in memory.
Patches were also rolled out for two high-severity vulnerabilities in the OpenId Connect Authentication plugin, and a medium-severity flaw in the Credentials plugins.
Advertisement. Scroll to continue reading.
The OpenId Connect Authentication bugs — CVE-2024-47806 and CVE-2024-47807 — exist because the plugin fails to check whether a token was issued for the correct client and the identity of the original issuer, which could allow attackers to gain administrator access to Jenkins.
Tracked as CVE-2024-47805, the Credentials plugin issue exist because encrypted values of credentials using the SecretBytes type are not redacted when accessing config.xml via REST API or CLI, allowing attackers with item/extended read permissions to view those encrypted values.
OpenId Connect Authentication plugin version 4.355.v3a_fb_fca_b_96d4 and Credentials plugin version 1381.v2c3a_12074da_b_ address these issues.
Related: ICS/OT Security Firms Announce Product Updates
Related: GitLab Security Update Patches Critical Vulnerability
Related: Tens of Cybersecurity Firms Found Exposing Assets
Related: Most Developers Never Update Third-Party Libraries in Their Software