Popular open source automation server Jenkins has fixed multiple security vulnerabilities. The latest version changes how plug-ins use build parameters, though, so developers will need to adapt to the new process.
The vulnerabilities affect all previous releases, including the mainline releases up to and including 2.2, and LTS releases up to and including 1.651.1. Administrators should update their Jenkins installations to mainline release Jenkins 2.3 or LTS 1.651.2.
One of the vulnerabilities fixed in this release involves how build parameters in Jenkins are passed to write scripts as environmental variables. Depending on user access permissions and plug-ins on the Jenkins servers, malicious users would be able to trigger builds with arbitrary environment variables and modify the behavior of those builds, the Jenkins security advisory warned. In this situation, jobs could be defined with no parameters, but be built with parameters passed by the plug-ins. Parameters like PATH and DYLD_LIBRARY_PATH could be defined on jobs that didn't expect them, with unexpected results.
To read this article in full or to leave a comment, please click here