Anyone who uses the Jenkins software system for development should carefully study the current security warning from the developer. There you will find information about recently discovered security gaps and patches. However, some security updates are still a long way off.
Jenkins is an automation server that can be used to automate various tasks involved in building and testing software.
Patch now! Or disable plugins
As you can see from the post, the bulk of the gaps are with the threat level “medium“. The vulnerabilities affect Jenkins itself, but also some plugins. Among other things, a vulnerability (CVE-2022-20617) in the Docker Commons Plug-in is with “high” classified. Here, attackers with certain rights could execute their own commands after successful attacks. The Version 1.18 is secured against such attacks.
Put attackers on Debian Package Builder Plug-in up to and including version 1.6.11, they could also run their own commands (CVE-2022-23118 “high“). There is no security patch for this yet. It is currently unknown when that will be.
Learn more about the vulnerabilities and security updates can be read in the warning message.
(from)
