With over a thousand community contributed Jenkins plug-ins it can be hard to choose one or the other for certain tasks. Well, it has just gotten a bit easier, since Jenkins published a security advisory pointing out a long list of issues in plugins without fixes.
Making users aware of issues with reports like this is a common thing to do for the automation server’s security team. The last one was published in late March after all. Usually however, there are some fixes to go along with it.
The current advisory, however, is quite extensive, listing 55 plugins with issues of varying severity, and just a measly two providing actual updates to get rid of the vulnerabilities. Admins are encouraged to check the list and contemplate further use, since most of the bugs are about storing credentials in plain text – most of them have been reported by a single researcher as well.
Plugins affected include the one for the IRC chat client, Jira Issue Updater, Bitbucket Approve Plugin, WildFly Deployer, Aqua Security Scanner, and the AWS CloudWatch Logs Publisher. Fixes are available for issues in the Netsparker Cloud Scan Plugin and youtrack-plugin.
In a blog post to go along with the report, core maintainer Daniel Beck describes the usual procedure for security issues: “The Jenkins security team triages incoming reports both to Jira and our non-public mailing list. Once we’ve determined it is a plugin not maintained by any Jenkins security team members, we try to inform the plugin maintainer about the issue, offering our help in developing, reviewing, and publishing any fixes.”
When maintainers fail to respond or the plugin turns out to be unmaintained, however, an advisory report is published. Like that, users are informed about potential dangers and can step in if they feel they can help.
Unmaintained plugins are marked us such and can be adopted. In the absence of objection, the new maintainer will be granted commit access and is expected to slowly start handing in changes by filing PRs versus direct commits. This is especially important, since existing users are inherited along with the plugin, which is why compatibility should be preserved.