Use of Deprecated or Vulnerable Plugins
ID |
unsecured_plugin |
Severity |
critical |
Family |
CI/ CD tools |
Tags |
cicd-sec-08, cicd-security, infrastructure, reachable, security, supply-chain |
Description
This detector reports Jenkins plugins with security warnings or deprecations at Jenkins update center. Plugin warnings and deprecations are usually shown at the plugin administration page on each Jenkins server.
Security
Using Jenkins plugins with vulnerabilities can pose a serious threat to the system’s security.
Jenkins is continuously publishing security advisories covering plugins used to extend the software. Some of these advisories could be rated high severity, which means that they can cause significant damage if exploited and put enterprise networks at risk.
Examples
AbsInt a³ Jenkins Plugin
Versión1.1.0
Provides Jenkins integration for the AbsInt Advanced Analyzer (a³) tools.
Report an issue with this plugin
Warning: The currently installed plugin version may not be safe to use.
Please review the following security notices:
XXE vulnerability
The example above could be checked at security issue page: XXE vulnerability
Mitigation / Fix
Any plugin marked with warnings should be updated to a non vulnerable version or replaced in case it is not.
The Security Advisory for Jenkins Plugins contains a "Fix" section with recommendations for fixing or mitigating the security problem. Version update is the most common recommendation.