Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Jenkins plugs 11 security holes with two updates

Zero-day vulnerability stoppered

Jenkins says it has fixed a range of security vulnerabilities in the open source integration tool with a brace of fresh releases.

Versions 1.638 and 1.625.2 of the open source integration tool hit the streets yesterday, presumably capping a frantic race to plug a zero-day vulnerability which surfaced last Friday.

That vulnerability left Jenkins exposed to an attack through the Jenkins CLI subsystem. The project advised users to disable or remove CLI support inside the running Jenkins server as a temporary workaround. The vuln was regarded as low risk.

The new updates fix this and ten more vulnerabilities. Three of these were listed as critical, including one which allowed “malicious users to circumvent CSRF protection by generating the correct token”.

The second critical flaw concerned a secret key flaw that allowed malicious users to connect as slaves, take over Jenkins and access private data. The third critical flaw centred on unsafe deserialization which allowed remote attackers to run arbitrary code on the Jenkins master.

On the remaining vulnerabilities, one was considered high, four were medium, and the remainder were low. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like