Eight distinct vulnerabilities observed across Jenkins core and various plugins that could allow attackers to access sensitive information, obtain encrypted secrets, and potentially execute arbitrary code on affected systems. To minimize exposure to these types of vulnerabilities, organizations should promptly apply available patches, implement proper access controls, regularly audit plugin usage, and maintain awareness of security advisories. In versions 2.5.3 and earlier, libraries defined in folders lack proper sandbox protection, enabling attackers with Item/Configure permission to execute arbitrary code within the Jenkins controller Java Virtual Machine (JVM). This vulnerability represents a significant security risk for organizations using the affected plugin, as it could compromise the Jenkins environment completely. These vulnerabilities expose sensitive credentials to any users with Item/Extended Read permission or access to the Jenkins controller file system. Earlier this year, a critical file read vulnerability (CVE-2024-23897) allowed attackers to read arbitrary files via Jenkins’ CLI, affecting an estimated 43% of cloud environments. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The frequency of Jenkins security advisories underscores the importance of maintaining proper security practices for CI/CD environments. Several plugins stored sensitive credentials in plain text, creating significant security risks. This advisory comes amid a series of security issues affecting Jenkins in recent months. This vulnerability enabled attackers to view sensitive files like /etc/passwd, encryption keys, and source code. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Apr 2025 11:50:20 +0000