CloudBees Security Advisory 2020-11-12

This advisory announces vulnerabilities in Cloudbees, CloudBees Jenkins Distribution and CloudBees Jenkins Platform

OC items in nested folders did not have their RBAC configuration correctly migrated

CTR-2742

A previous version update caused an issue with Operations Center items in nested folders RBAC configurations.

Now an additional migration of the RBAC configuration for all the OC items in the Jenkins instance not just the items defined at the top level.

Permissions are not correctly applied if RBAC on Views is disabled

CTR-2748

RBAC permissions were not applied correctly when RBAC on views is disabled(CTR-2748)::
Since the November rolling release (2.249.3.1), it's not possible to define groups on views, so the expected permissions set should be coming from the view's parent item. However there was a bug which made the permission set to be the root one (ie. whatever is defined at root level).

The fix is making the view use the permission set coming from the view's owner. So if the view is inside a folder, then the folder groups and roles are applied. Or if the view is on the root level, the global groups and roles are applied.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.249.3.2

  • CloudBees Cloud Platforms should be upgraded 2.249.3.2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.249.3.2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.249.3.2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.42.0.1-rev6

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.33.0.2-rev6