CloudBees Security Advisory 2020-03-03

This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Information Disclosure in CloudBees Amazon AWS CLI Plugin

CTR-1006

A user with permission to see a job could list the AWS credential IDs available for a job, without the expected permission.

The plugin now correctly restricts the ability to list the AWS credential IDs available for a job to users who can configure the job.

Cross-Site Request Forgery in Operations Center Elasticsearch Provider

CPLT2-6188

The Elasticsearch provider configuration was vulnerable to Cross-Site Request Forgery attacks as some endpoints were using the GET method.

Corresponding methods now use the POST method

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.204.3.4

  • CloudBees Cloud Platforms should be upgraded 2.204.3.4

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.204.3.4

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.204.3.4

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.164.x.0.z) should be upgraded to version 2.164.33.0.1 rev3

  • CloudBees Jenkins Platform (fixed train) should be upgraded to 2.190.30.0.2

  • CloudBees Jenkins Distribution should be upgraded to version 2.204.3.4