CloudBees Security Advisory 2020-04-27
This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
Missing Permission Check Leads to SSRF in “VMware Autoscaling Plugin”
When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without CONFIGURE permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.
With this fix, a permission has been added so users without CONFIGURE permission now get an authorization error when attempting to call the validation endpoint.
Cross-site scripting vulnerability in Wikitext Plugin
Wikitext Plugin 3.9 and earlier does not escape the formatted text using Media Wiki, Textile and TWiki syntax formatters.
This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.
This version (3.12) escapes the formatted text before printing it out.
CloudBees Traditional Platforms should be upgraded 184.108.40.206
CloudBees Cloud Platforms should be upgraded 220.127.116.11
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 18.104.22.168
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 22.214.171.124
CloudBees Jenkins Platform (fixed train) should be upgraded to 126.96.36.199.2
CloudBees Jenkins Distribution should be upgraded to version 188.8.131.52