This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

CTR-1293

When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without CONFIGURE permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.

With this fix, a permission has been added so users without CONFIGURE permission now get an authorization error when attempting to call the validation endpoint.

FNDJEN-2010

Wikitext Plugin 3.9 and earlier does not escape the formatted text using Media Wiki, Textile and TWiki syntax formatters.
This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

This version (3.12) escapes the formatted text before printing it out.

• CTR-1293: Medium

• FNDJEN-2010: Medium

• CloudBees Traditional Platforms should be upgraded 2.222.2.1

• CloudBees Cloud Platforms should be upgraded 2.222.2.1

• CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.222.2.1

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.222.2.1

• CloudBees Jenkins Platform (fixed train) should be upgraded to 2.190.31.0.2

• CloudBees Jenkins Distribution should be upgraded to version 2.222.2.1