CyberSecurityBoard
Sponsor Register Login

Multiple Jenkins Vulnerability Let Attackers Expose Secrets

Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. CloudBees credited Antoine Ruffino, Daniel Beck, and XBOW for discovering these issues, reaffirming the critical role of coordinated disclosure in maintaining CI/CD ecosystem security. These flaws, patched in versions 2.500 (weekly) and 2.492.2 (LTS), affect earlier releases, including Jenkins 2.499 and LTS 2.492.1. Potential impacts range from credential theft to phishing campaigns. This bypasses Jenkins’ security controls to mask sensitive data, exposing credentials like API keys, database passwords, and cryptographic tokens. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. While Jenkins redacts secrets for users lacking Agent/Configure or View/Configure permissions, earlier versions failed to enforce this during API/CLI interactions. Attackers with Agent/Extended Read or View/Read permissions could exploit REST API or CLI endpoints to retrieve config.xml files containing unredacted secrets. As Jenkins remains a high-value target for supply chain attacks, proactive patch management and least-privilege access controls are imperative. The vulnerability underscores flawed endpoint design—Jenkins historically permitted GET methods for widget state changes, neglecting CSRF token validation. She is covering various cyber security incidents happening in the Cyber Space. Exploiting this, attackers could inject arbitrary strings into victims’ user profiles, creating persistence mechanisms for stored XSS or data exfiltration. The patch enforces POST requests, aligning with REST security best practices. This facilitates phishing by redirecting users to malicious domains under the guise of Jenkins internal links. CloudBees engineers linked these flaws to SECURITY-266, a 2016 vulnerability involving similar exposure vectors. Post-patch, Jenkins 2.500/LTS 2.492.2 rejects such URLs, mitigating phishing risks.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 07 Mar 2025 12:25:08 +0000


Cyber News related to Multiple Jenkins Vulnerability Let Attackers Expose Secrets

You Don't Know Where Your Secrets Are - Do you know where your secrets are? If not, I can tell you: you are not alone. Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, ...
2 years ago Thehackernews.com
Securing the code: navigating code and GitHub secrets scanning - Enter the world of GitHub secrets scanning tools, the vigilant sentinels of your digital gala. Secrets scanning in GitHub is anchored by two fundamental strategies: proactive prevention and reactive detection, each serving a critical function in ...
1 year ago Securityboulevard.com
CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability - Last Wednesday, on January 24, 2024, the Jenkins team issued a security advisory disclosing a critical vulnerability, CVE-2024-23897, affecting the Jenkins CI/CD tool. This advisory set off alarm bells among the infosec community because the ...
1 year ago Securityboulevard.com CVE-2024-23897 CVE-2023-23897
PoC Exploits Heighten Risks Around Critical New Jenkins Vuln - Internet-exposed Jenkins servers remain unpatched against a critical, recently disclosed arbitrary file-read vulnerability for which proof-of-exploit code is now publicly available. CVE-2024-23897 affects the built-in Jenkins command line interface ...
1 year ago Darkreading.com CVE-2024-23897
Over 12 million auth secrets and keys leaked on GitHub in 2023 - GitHub users accidentally exposed 12.8 million authentication and sensitive secrets in over 3 million public repositories during 2023, with the vast majority remaining valid after five days. The exposed secrets include account passwords, API keys, ...
1 year ago Bleepingcomputer.com
Honeytokens for Peace Of Mind - If you have been tackling the realities of secrets sprawl, getting a handle on all the hardcoded credentials in your organization, then we understand the stress and the restless nights that can bring. Even a small team can add hundreds of secrets a ...
1 year ago Feeds.dzone.com
Privileged Access Management for DevOps - Recently, KuppingerCole released the first edition of its Leadership Compass for Privileged Access Management for DevOps. The KuppingerCole report recognizes the unique and complex challenges that exist in DevOps and other dynamic environments. The ...
2 years ago Beyondtrust.com Patchwork
CVE-2024-28236 - Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a ...
1 year ago
GitGuardian Report: 70% of Leaked Secrets Remain Active for Two Years, Urging Immediate Remediation - GitGuardian, the security leader behind GitHub’s most installed application, today released its comprehensive “2025 State of Secrets Sprawl Report,” revealing a widespread and persistent security crisis that threatens organizations ...
1 month ago Cybersecuritynews.com
new detectors, your favorite features, and what's coming next in GitGuardian - GitGuardian Secrets Detection More detectors = more secrets caught. Every detector has its comprehensive ID card in the public documentation, outlining the secret type, its intended usage and scope, and detailed steps for revocation. If you haven't ...
1 year ago Securityboulevard.com
The Secret Weakness Execs Are Overlooking: Non-Human Identities - By shifting our focus to secrets security and adopting a comprehensive approach that includes robust detection, automated remediation, and integration with identity systems, organizations can significantly reduce their attack surface and bolster ...
6 months ago Thehackernews.com
GitHub expands security tools after 39 million secrets leaked in 2024 - Standalone Secret Protection and Code Security – Now available as separate products, these tools no longer require a full GitHub Advanced Security license, making them more affordable for smaller teams. GitHub announced updates to its Advanced ...
4 weeks ago Bleepingcomputer.com
Multiple Jenkins Vulnerability Let Attackers Expose Secrets - Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. CloudBees credited Antoine Ruffino, Daniel Beck, and XBOW for discovering these issues, reaffirming the critical role of ...
1 month ago Cybersecuritynews.com
Kubernetes Security: Sensitive Secrets Exposed - Cybersecurity researchers are warning of Kubernetes security issues amid the exposure of configuration secrets. Researchers believe that such attacks could be orchestrated using Kubernetes secrets exposed in public repositories as they allow access ...
1 year ago Securityboulevard.com
Entro Security Newest Competitor in 2024 'ASTORS' Awards Program - Secrets management and monitoring are crucial components of any security program. Entro is a holistic secret security platform designed specifically for security teams and CISOs. To ensure that doesn't happen, Entro offers an exclusive secrets ...
1 year ago Americansecuritytoday.com
Multiple Jenkins Plugin Vulnerability Let Attackers Access Sensitive Information - Eight distinct vulnerabilities observed across Jenkins core and various plugins that could allow attackers to access sensitive information, obtain encrypted secrets, and potentially execute arbitrary code on affected systems. To minimize exposure to ...
3 weeks ago Cybersecuritynews.com CVE-2024-23897
45k Jenkins servers exposed to RCE attacks using public exploits - Researchers found roughly 45,000 Jenkins instances exposed online that are vulnerable to CVE-2023-23897, a critical remote code execution flaw for which multiple public proof-of-concept exploits are in circulation. Jenkins is a leading open-source ...
1 year ago Bleepingcomputer.com CVE-2023-23897
GitHub Action supply chain attack exposed secrets in 218 repos - The compromise of GitHub Action tj-actions/changed-files has impacted only a small percentage of the 23,000 projects using it, with it estimated that only 218 repositories exposed secrets due to the supply chain attack. According to data shared by ...
1 month ago Bleepingcomputer.com
Critical Jenkins Vulnerability Leads to Remote Code Execution - A critical vulnerability in the built-in command line interface of Jenkins allows attackers to obtain cryptographic keys that can be used to execute arbitrary code remotely. Unauthenticated attackers could exploit the security defect to read the ...
1 year ago Securityweek.com CVE-2024-23897 CVE-2024-23904
Secure Your Secrets With.env - Using environment variables to store secrets instead of writing them directly into your code is one of the quickest and easiest ways to add a layer of protection to your projects. There are many ways to use them, but a properly utilized `.env` file ...
1 year ago Feeds.dzone.com Inception
The Art and Science of Container Security - As the adoption of containers accelerates, so does the imperative for robust container security strategies. The interconnected realms of containers and the cloud have given rise to innovative security patterns designed to address the unique ...
1 year ago Feeds.dzone.com
Exploits released for critical Jenkins RCE flaw, patch now - Multiple proof-of-concept exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks. ...
1 year ago Bleepingcomputer.com CVE-2024-23897 CVE-2024-23898
AWS CloudQuarry: Digging for Secrets in Public AMIs - Money, secrets and mass exploitation: This research unveils a quarry of sensitive data stored in public AMIs. As a best practice, AMI creators should not include credentials, including AWS account credentials, in published AMIs. We wanted to scan all ...
11 months ago Packetstormsecurity.com
GitHub Action hack likely led to another in cascading supply chain attack - Last week, a supply chain attack on the tj-actions/changed-files GitHub Action caused malicious code to write CI/CD secrets to the workflow logs for 23,000 repositories. A cascading supply chain attack that began with the compromise of the ...
1 month ago Bleepingcomputer.com
Tracking Everything on the Dark Web Is Mission Critical - COMMENTARYOne of the standard cybersecurity tools today is to relentlessly check the Dark Web - the preferred workplace for bad guys globally - for any hints that your enterprise's secrets and other intellectual property have been exfiltrated. It ...
1 year ago Darkreading.com Equation

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)