Security flaws in 100 Jenkins plugins put enterprise networks at risk

A security researcher has found and reported security flaws in more than 100 different Jenkins plugins over the last 18 months, and despite efforts to notify developers, many of these plugins have not received a fix. NCC Group Security Consultant Viktor Gazdag is credited with discovering all the vulnerabilities, all of which impact plugins for Jenkins, a common web-based application used by developer teams. The most common vulnerabilities

The NCC Group researcher said that some of the most common security flaw he found was that many Jenkins plugins stored passwords in cleartext inside their configuration files, rather than use the main Jenkins credentials.xml file, which automatically encrypts all data stored inside it.

Source: www.zdnet.com