CloudBees Security Advisory 2017-06-06

This advisory announces a vulnerability in the Favorite Plugin.

Missing permission check in Favorite Plugin allows anyone to change favorites for any other user

JENKINS-44643

A missing permission check allowed any user to add or remove favorites for any other user. The API was changed so users cannot change another user’s favorites, only their own.
 

CSRF vulnerability in Favorite Plugin allows changing another user’s favorites

SECURITY-532

An API used to add and remove a favorite was vulnerable to CSRF, allowing attackers to change the victim’s favorites.  The API now requires requests to be sent via POST, which is subject to the CSRF protection configurable in Jenkins global security configuration.
Severity: 
Fix: 

Users of Favorite Plugin should update it to version 2.3.0 or newer:

  • CloudBees Jenkins Enterprise:
    • For users in version 1.6.3 with CAP enabled, Beekeeper will offer the update (only for Managed Masters running version 2.46.2.1).
    • Users in versions older than 1.6.3 should upgrade to 1.6.3.
    • Users with CAP disabled can update the plugin through the Plugin Manager.
  • CloudBees Jenkins Platform (rolling train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.x.y.z):
    • For users in version 2.46.2.1 with CAP enabled, Beekeeper will offer the update (only for Client Masters).
    • Users in versions older than 2.46.2.1 should upgrade to 2.46.2.1
    • Users with CAP disabled can get the plugin version including the fix through the Plugin Manager.
  • CloudBees Jenkins Platform (fixed train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.7.x.0.y):
    • Users can update the plugin through the Plugin Manager.
  • CloudBees Jenkins Platform: CloudBees Jenkins Operations Center 1.625.x.y and CloudBees Jenkins Enterprise 1.651.x.y:
    • Users can update the plugin through the Plugin Manager.
  • CloudBees Jenkins Team:
    • For users in version 2.46.2.1 with CAP enabled, Beekeeper will offer the update.
    • Users in versions older than 2.46.2.1 should upgrade to 2.46.2.1
    • Users with CAP disabled can update the plugin through the Plugin Manager.
  • DEV@cloud is already protected.