CloudBees Security Advisory 2020-09-09

This advisory announces vulnerabilities in Cloudbees, CloudBees Jenkins Distribution and CloudBees Jenkins Platform

Stored XSS in CloudBees License Manager plugin


CTR-2235

The CloudBees License Manager plugin now has protection against potential cross-site scripting (XSS) security vulnerabilities.

Missing Access Control in Skip Group


CTR-1929

The Skip Builds / Apply permissions were not properly checked when applying a Skip Group from the CloudBees CI main page.

With this fix, Skip Builds / Apply permissions are required to apply a Skip Group.

Lack of access control on some read-only endpoints on CloudBees Backup Plugin


CTR-1850

The CloudBees Backup Plugin does not perform permission checks in some methods implementing form population or form validation, making the methods accessible to attackers with Overall/Read access. Those methods include the following:

  • Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

  • Check existence of a directory in the Jenkins host file system.

  • Validate existence of a container in the Azure Storage Account configured at Jenkins.

Now the CloudBees Backup Plugin requires, at a minimum, the permission to configure the Backup/Restore job.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.249.1.2

  • CloudBees Cloud Platforms should be upgraded 2.249.1.2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.249.1.2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.249.1.2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.42.0.1-rev2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.33.0.2-rev2