CVE-2022-41252 Jenkins CONS3RT Plugin 1.0.0 and earlier allow users with Overall/Read permission to enumerate credentials.

This issue has been fixed in version 1.0.1 and later.

CVE-2017-7817 Jenkins allows remote attackers to obtain credentials for any service (other than the default) via a regular expression that satisfies the search criteria.

CVE-2018-5383 By sending a malformed HTTP request to a Jenkins instance, an attacker can inject arbitrary code into the Jenkins instance.

CVE-2019-6223 Jenkins plugins and other code have access to credentials stored in Jenkins.

CVE-2019-7249 An issue has been found where the Jenkins SSH plugin does not restrict the port that can be reached, which could allow remote attackers to gain access to Jenkins via a crafted SSH connection.

CVE-2019-7283 An issue has been found where the Jenkins SSH plugin does not reject password authentication from non-verified hosts, which could allow remote attackers to gain access to Jenkins via a crafted SSH connection.

CVE-2019-7284 An issue has been found where the Jenkins SSH plugin does not require password authentication to be enabled, which could allow remote attackers to gain access to Jenkins via a crafted SSH connection.

CVE-2019-7285 An issue has been found where the Jenkins SSH plugin does not require password authentication to be enabled, which could allow remote attackers to gain access to Jenkins via a crafted SSH connection.

CVE-2019-7286 An issue has been found where the Jenkins SSH plugin does not require password authentication to

Core Features

Jenkins is an open source automation server for software development. It was developed by the Jenkins community in 2009 and was released as open source in August 2003. The goal of Jenkins is to make it easy for developers to automate the build, test, and release of software.

It can be used on its own or integrated into an existing automation environment.

How to fix Jenkins vulnerabilities

Step 1: All of the Jenkins CVE's need to be fixed for your instance.
Step 2: Once all of the CVE's are fixed, restart your Jenkins instance.
Step 3: Check for any other configuration changes that may have been made to your instance and make sure they are not creating vectors for unpatched vulnerabilities.

Timeline

Published on: 09/21/2022 16:15:00 UTC
Last modified on: 09/22/2022 18:41:00 UTC

References

• https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2752
• http://www.openwall.com/lists/oss-security/2022/09/21/5
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41252