Jenkins安全团队披露了影响Jenkins自动化服务器中29个插件的数十个漏洞,其中大部分漏洞尚未修复。Jenkins是最流行的开源自动化服务器,它由CloudBees和Jenkins社区维护。自动化服务器支持开发人员构建、测试和部署他们的应用程序,它在全球拥有数十万个活跃安装,用户超过100万。Jenkins安全团队最近披露了影响Jenkins自动化服务器中29个插件的34个安全漏洞,其中29个尚未修复。以下是Jenkins发布的公告中指出的漏洞:BuildNotificationsPluginbuild-metricsPluginCiscoSparkPluginDeploymentDashboardPluginElasticsearchQueryPlugineXtremeFeedbackPanelPluginFailedJobDeactivatorPluginGitLabPluginHPENetworkVirtualizationPluginJigomergePluginMatrixReloadedPluginOpsGeniePluginPlotPluginProjectInheritancePluginRecipePluginRequestRenameOrDeletePluginrequests-pluginPluginRichTextPublisherPluginRocketChatNotifierPluginRQMPluginSkypenotifierPluginTestNGResultsPluginValidatingEmailParameterPluginXebiaLabsXLReleasePluginXPathConfigurationViewerPlugin这些漏洞的严重程度从低到高。截至公告发布时,以下漏洞尚未修复:BuildNotificationsPluginbuild-metricsPluginCiscoscoplSparkPluginElasticsearchQueryPluginXtremeFeedbackPanelPluginFailedJobDeactivatorPluginHPENetworkVirtualizationPluginJigomergePluginMatrixReloadedPluginOpsGeniePluginPlotPluginProjectInheritancePluginRecipePluginRequestRenameOrDeletePluginRichTextPublisherPluginRocketChatNotifierPluginRQMPluginSkypenotifierPluginValidatingEmailParameterPluginXPathConfigurationViewerPluginUnpatchedVulnerabilitiesList包括XSS,跨站请求伪造(CSRF),缺失或不正确的权限检查,以及明文存储的密码,API密钥以下是漏洞发布公告时已通过补丁解决:GitLabPluginshouldbeupdatedtoversion1.5.35requests-pluginPluginshouldbeupdatedtoversion2.2.17TestNGResultsPluginshouldbeupdatedtoversion555.va0d5f66521e3XebiaLabsXLReleasePluginshould更新到版本22.0.1
