CloudBees Jenkins Platform Security Advisory 2016-07-05

This advisory announces a vulnerability in the CloudBees Template Plugin.

 

Failure to enforce template read permission

CJP-4615

The CloudBees Template Plugin did not prevent users without access to a specific template from creating jobs referencing that template via the API, resulting in potential exposure of secrets added to job configurations by the template transformation to users who neither have access to the template nor to other jobs based on that template.

Severity: 
  • CJP-4615 is considered low

 

Fix: 
  • Users of CloudBees Jenkins Platform 1.642.x.y should update it to version 1.642.18.3, or update the CloudBees Template Plugin to version 4.24.
  • Users of CloudBees Jenkins Platform 1.625.x.y should update it to version 1.625.18.3, or update the CloudBees Template Plugin to version 4.24.
  • Users of CloudBees Jenkins Platform 1.609.x.y should update it to version 1.609.18.3, or update the CloudBees Template Plugin to version 4.22.1.
  • DEV@cloud is already protected