Multiple vulnerabilities have been discovered in Jenkins, the most severe of which could allow for remote code execution.
Jenkins (Core) is an open source automation server which is used for building, testing, and deploying software.
Git Server Plugin provides fundamental git operations for Jenkins projects.
GitLab Branch Source Plugin provides branch source and folder organization functionality for GitLab Repositories in Jenkins.
Log Command Plugin adds a command for the CLI that shows the log for a job’s build.
Matrix Project Plugin allows for multi configuration job management.
Qualys Policy Compliance Scanning Connector Plugin is used to automate host or cloud instance compliance scans from Jenkins.
Red Hat Dependency Analytics Plugin is used to scan the dependency stack and give information related to vulnerabilities, popularity, maintainability, and compatibility.
Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, an attacker could then install programs; view, change, or delete data. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.