Jenkins is an open-source automation server written in Java. There are several plugins that exist to integrate Jenkins with other pieces of software, such as GitLab. Today, Cisco Talos is disclosing vulnerabilities in three of these plugins: Swarm, Ansible and GitLab. All three of these are information disclosure vulnerabilities that could allow an attacker to trick the plugin into disclosing credentials from the Jenkins credential database to a server that they control.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Jenkins and the associated companies to ensure that these issues are resolved and that updates are available for affected customers.
Read more over at the Talos blog here.