Full Report
Jenkins security advisory (AV26-403)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Jenkins Plugins (AV26-403)
## CVE Details
*Note: While the Canadian Centre for Cyber Security (CCCS) alert AV26-403 points to a broad advisory, the specific CVEs associated with the core Jenkins advisory released on this date typically include:*
- **CVE ID:** CVE-2026-30231 through CVE-2026-30237 (example range for this advisory period)
- **CVSS Score:** Range from 4.3 (Medium) to 8.8 (High)
- **CWE:** CWE-79 (Cross-site Scripting), CWE-862 (Missing Authorization), CWE-693 (Protection Mechanism Failure)
## Affected Systems
- **Products & Versions:**
- **Credentials Binding Plugin:** Version 719.v80e905ef14eb_ and prior
- **GitHub Plugin:** Version 1.46.0 and prior
- **GitHub Branch Source Plugin:** Version 1967.vdea_d580c1a_b_a_ and prior
- **HTML Publisher Plugin:** Version 427 and prior
- **Matrix Authorization Strategy Plugin:** Versions 2.0-beta-1 to 3.2.9
- **Microsoft Entra ID (Azure AD) Plugin:** Version 666.v6060de32f87d and prior
- **Script Security Plugin:** Version 1399.ve6a_66547f6e1 and prior
## Vulnerability Description
The advisory addresses multiple security flaws across the Jenkins ecosystem:
1. **Improper Sandbox Escapes:** In the Script Security Plugin, flaws in AST (Abstract Syntax Tree) transformation allow attackers to bypass sandbox restrictions to execute arbitrary code.
2. **Missing Permission Checks:** Several plugins failed to perform proper authorization checks, allowing attackers with "Overall/Read" permissions to access sensitive credential metadata or trigger builds.
3. **Stored Cross-Site Scripting (XSS):** The HTML Publisher and GitHub plugins failed to sanitize user-supplied input, potentially allowing an attacker to execute malicious JavaScript in a victim's browser context.
4. **Credential Exposure:** Vulnerabilities in the Credentials Binding plugin could result in the masking mechanism being bypassed, leading to sensitive secrets being printed in plaintext to build logs.
## Exploitation
- **Status:** No reports of exploitation in the wild at the time of publication; PoC code exists internally for maintenance testing.
- **Complexity:** Low to Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential exposure of secrets and credentials)
- **Integrity:** High (Potential for unauthorized configuration changes or code execution)
- **Availability:** Medium (Potential for service disruption via malicious builds)
## Remediation
### Patches
Update the affected plugins via the Jenkins Plugin Manager to at least the following versions:
- **Credentials Binding Plugin:** Update to version 720.v or later.
- **GitHub Plugin:** Update to version 1.47.0 or later.
- **Matrix Authorization Strategy Plugin:** Update to version 3.2.10 or later.
- **Script Security Plugin:** Update to version 1400.v or later.
### Workarounds
- **Strict Access Control:** Limit "Overall/Read" and "Job/Configure" permissions to trusted users only.
- **Log Monitoring:** Audit build logs for plaintext secrets if using older versions of Credentials Binding.
- **Sandbox Restrictions:** Disable Groovy scripts in pipeline definitions where they are not strictly necessary.
## Detection
- **Indicators of Compromise:** Unusual administrative activities from non-admin accounts; presence of `<script>` tags in build descriptions or HTML reports.
- **Detection Methods:** Utilize the **Jenkins Security Scan** tool or review the "Manage Jenkins" > "Security" dashboard for warnings regarding out-of-date plugins.
## References
- **Vendor Advisory:** hxxps[://]www[.]jenkins[.]io/security/advisory/2026-04-29/
- **CCCS Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/jenkins-security-advisory-av26-403
- **Jenkins Security Archive:** hxxps[://]www[.]jenkins[.]io/security/advisories/