"It's what you would do to prank or screw a co-worker," Croy said.
Considering the flaws are rated as either medium or low severity, it may be tempting to wait until the affected plug-ins are fixed before updating Jenkins. That is an option, but Croy said administrators have to assess the risks of not updating. The security profile for Jenkins that is Internet-facing is different from one used internally. A corporatewide Jenkins server may have a large number of users and a global reach, which can be a factor in deciding to update sooner rather later.
"We strongly recommend Jenkins installations on hostile networks to apply the update as soon as possible," Croy said.
Sign up for CIO Asia eNewsletters.