BSI has revealed the present IT safety discover for Jenkins plugins. Several vulnerabilities have been recognized. You can discover out extra in regards to the affected functions and merchandise and the CVE numbers right here at information.de.
Federal workplace for Security in Information Technology (BSI) issued a safety advisory for Jenkins plugins on May 26, 2024. The report factors to a number of vulnerabilities that make the assault attainable. The safety vulnerability impacts UNIX and Windows functions and the Jenkins Jenkins product.
The newest producer suggestions relating to updates, workarounds and safety patches for this vulnerability could be discovered right here: Jenkins Security Advisory 2024-05-24 (Ima: 26.05.2024).
Multiple vulnerabilities have been reported in Jenkins plugins – Risk: excessive
Risk stage: 3 (excessive)
CVSS Base Score: 8.0
CVSS interim rating: 7.0
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the severity of vulnerabilities in laptop programs. The CVSS commonplace makes it attainable to match potential or precise safety dangers primarily based on varied metrics to create a precedence record for countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, person interplay) and its outcomes. For momentary impact, body situations that will change over time are thought of within the take a look at. According to CVSS, the danger of the present vulnerability is assessed as “excessive” on the premise of 8.0 factors.
Jenkins Plugins Bug: Summary of reported vulnerabilities
Jenkins is an extensible, web-based integration server for steady help for every type of software program improvement.
A distant, licensed attacker may exploit a number of vulnerabilities in varied Jenkins plugins to carry out a script assault and expose delicate info.
Vulnerabilities are recognized by distinctive CVE (Common Vulnerabilities and Exposures) product numbers. CVE-2024-28793, CVE-2024-4184, CVE-2024-4189, CVE-2024-4690, CVE-2024-5273, CVE-2024-4211, CVE-2024-4691 and CVE-4691 and CVE-692 on the market.
Systems affected by the safety hole at a look
Operating programs
UNIX, Windows
Products
Jenkins Jenkins Plugin OpenText Jenkins Jenkins Plugin Team Concert Jenkins Jenkins Plugin Report Info
General suggestions for coping with IT vulnerabilities
- Users of affected programs ought to keep up-to-date. When safety holes are recognized, producers are required to repair them shortly by creating a patch or workaround. If safety patches can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This usually accommodates extra details about the newest model of the software program in query and the provision of safety patches or efficiency ideas.
- If you may have any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to verify each time a producing firm makes a brand new safety replace obtainable.
Sources for updates, patches and workarounds
Here you can find some hyperlinks with details about bug studies, safety fixes and workarounds.
Jenkins Security Advisory 2024-05-24 vom 2024-05-26 (26.05.2024)
For extra info, see:
Version historical past of this safety alert
This is the primary model of this IT safety discover for Jenkins plugins. This doc might be up to date as updates are introduced. You can examine adjustments or additions on this model historical past.
May 26, 2024 – First model
+++ Editorial notice: This doc is predicated on present BSI knowledge and might be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
comply with News.de you’re right here Facebook, Twitter, Pinterest once more YouTube? Here you can find sizzling information, present movies and a direct line to the editorial crew.
kns/roj/information.de