A high-severity vulnerability has been discovered in the Jenkins JDepend Plugin, which could allow an attacker to compromise the Jenkins environment. Successful exploitation could lead to an attacker gaining administrative control, stealing sensitive data like source code and credentials, and potentially injecting malicious code into the software build and deployment pipeline. Organizations are urged to apply the vendor-supplied security update immediately to mitigate this significant risk to their development infrastructure.

The Jenkins JDepend Plugin is vulnerable to a stored cross-site scripting (XSS) attack. An attacker with permission to configure jobs can inject malicious HTML and JavaScript code into a project's configuration parameters. This malicious code is then stored on the Jenkins server and is executed in the browser of any user who views the affected project's page, including administrators. This could allow the attacker to steal session cookies, impersonate high-privilege users, and perform administrative actions on their behalf, leading to a full compromise of the Jenkins instance.

This vulnerability is rated as High severity with a CVSS score of 7.1. Exploitation poses a direct threat to the integrity and confidentiality of the organization's software supply chain. An attacker could leverage this vulnerability to escalate privileges, access and exfiltrate sensitive source code, API keys, and other credentials stored within Jenkins. The most severe risk is the potential for an attacker to manipulate the CI/CD pipeline to inject malicious backdoors or malware into production software, leading to a widespread compromise of downstream customers and significant reputational and financial damage.

Immediate Action: Apply vendor security updates immediately to all Jenkins instances running the affected JDepend Plugin. After patching, monitor for any signs of exploitation attempts by reviewing Jenkins access logs for unusual or unauthorized configuration changes to build jobs.

Proactive Monitoring: Security teams should actively monitor Jenkins server logs for suspicious activity, such as unexpected modifications to job config.xml files, particularly the injection of <script> or other HTML tags. Monitor network traffic for unusual outbound connections from the Jenkins server, which could indicate data exfiltration or command-and-control communication. Set up alerts for any builds that are triggered or modified outside of normal operational patterns.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Strictly limit "Job/Configure" permissions to a minimal number of highly trusted administrators.
• Implement a Web Application Firewall (WAF) with rules designed to detect and block common XSS payloads.
• Enforce a strong Content Security Policy (CSP) on the Jenkins web server to prevent the execution of untrusted inline scripts.
• Regularly audit job configurations for any suspicious or unrecognized code snippets.

Public Exploit Available: false

Given the high-severity rating and the critical role of Jenkins in the software development lifecycle, this vulnerability requires immediate attention. Although not currently listed on the CISA KEV catalog, its potential for enabling supply chain attacks makes it a significant threat. We strongly recommend that organizations prioritize the deployment of the vendor-provided patch across all affected systems without delay. In parallel, implement the proactive monitoring and compensating controls detailed above to enhance detection capabilities and provide layered defense against potential exploitation.