CloudBees Security Advisory 2018-04-11

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission

The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist.

The Jenkins CLI now returns the same error messages to unauthorized users independent of the existence of specified view or agent names.

Cross-site scripting vulnerability in confirmation dialogs displaying item names

Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items.

JavaScript confirmation dialogs that include the item name now properly escape it, so it can be safely displayed.

 

Severity: 

 

 

Fix: 

 

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.107.2.1
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 2.107.2.1
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.73.31.0.1
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.46.x.0.y) should be upgraded to version 2.46.31.0.1
  • CloudBees Jenkins Team should be upgraded to version 2.107.2.1
  • DEV@cloud is already protected