Jenkins has released a major security advisory addressing seven vulnerabilities across widely used plugins, highlighting ongoing risks in modern CI/CD environments. Among these, three flaws have been rated as high severity, exposing systems to serious threats such as remote code execution, stored cross-site scripting (XSS), unsafe deserialization, and open redirect attacks.

The most critical issue, tracked as CVE-2026-42520, impacts the Credentials Binding Plugin. This vulnerability stems from improper validation of file names, allowing attackers to exploit path traversal and write files to unintended locations on the system. In certain configurations—especially where lower-privileged users can supply credentials this flaw can escalate into full remote code execution within CI/CD pipelines. Jenkins has addressed the issue in an updated version by enforcing stricter file name sanitization.

Two additional high-severity vulnerabilities were discovered in plugins tied to widely used development workflows. The GitHub Plugin flaw (CVE-2026-42523) allows attackers with minimal permissions to execute stored XSS attacks through improper handling of job URLs in JavaScript. Similarly, the HTML Publisher Plugin vulnerability (CVE-2026-42524) arises from insufficient escaping of job names and URLs, creating another pathway for persistent script injection. Both vulnerabilities have been patched, although some mitigations—such as enforcing Content Security Policy may still be required in certain environments.

Other issues addressed in the advisory include missing permission checks in multiple plugins, unsafe deserialization in the Matrix Authorization Strategy Plugin, and an open redirect flaw affecting the Microsoft Entra ID plugin. While these may vary in severity, they collectively demonstrate how plugin ecosystems can introduce layered security risks if not properly maintained.

All vulnerabilities were responsibly disclosed through the Jenkins Bug Bounty Program, supported by the European Commission and coordinated via YesWeHack. This collaborative effort highlights the importance of continuous security testing and responsible disclosure in maintaining the integrity of widely used platforms.

Jenkins has strongly urged users to apply updates immediately through the Plugin Manager, with particular emphasis on prioritizing fixes for the Credentials Binding and GitHub plugins due to their high severity and ease of exploitation. As CI/CD pipelines remain central to software development, ensuring their security is essential to protecting both code and infrastructure from increasingly sophisticated threats.

Recommended Cyber Technology News

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com  



🔒 Login or Register to continue reading