Missing Permission Checks in Master Provisioning Kubernetes plugin
Fixed missing permission checks in various form validation checks methods of master-provisioning-kubernetes.
RBAC configuration is not correctly cleaned when import strategy is set to Typical
RBAC configuration is permanently cleared from items when setting the security realm strategy to "Typical"
CSRF Vulnerabilities in Cloudbees Update Center Plugin
Fixed CSRF vulnerabilities in Cloudbees Update Center plugin
CSRF Vulnerabilities in Trigger-Restrictions Plugin
CSRF vulnerability due to lack of HTTP verb enforcement. Require HTTP POST on route.
Missing Permission Check in Skip Plugin
doRemove method does not have a permission check. Added remove permission check to doRemove method
SECURITY-1721 / CVE-2021-21639
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the
config.xml REST API endpoint of a node.
This allows attackers with Computer/Configure permission to replace a node with one of a different type.
Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.
SECURITY-1871 / CVE-2021-21640
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name. When a form to create a view is submitted, the name is included twice in the submission. One instance is validated, but the other instance is used to create the value.
This allows attackers with View/Create permission to create views with invalid or already-used names.
Jenkins 2.287, LTS 2.277.2 uses the same submitted value for validation and view creation.
SECURITY-2293 / CVE-2021-21641
promoted builds Plugin 3.9 and earlier does not require POST requests for HTTP endpoints implementing promotion (regular, forced, and re-execute), resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to promote builds.
promoted builds Plugin 3.9.1 requires POST requests for the affected HTTP endpoints.
NOTE:A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability.
SECURITY-2132 / CVE-2021-22512 (CSRF), CVE-2021-22513 (permission check)
Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Micro Focus Application Automation Tools Plugin 6.8 requires POST requests and Overall/Administer permission for the affected form validation methods.
SECURITY-2175 / CVE-2021-22510
Micro Focus Application Automation Tools Plugin 6.7 and earlier does not escape user input in a form validation response.
This results in a reflected cross-site scripting (XSS) vulnerability.
Micro Focus Application Automation Tools Plugin 6.8 escapes user input in the affected form validation response.
NOTEA security hardening since Jenkins 2.275 and LTS 2.263.2 prevents exploitation of this vulnerability.
SSL/TLS certificate validation unconditionally disabled by Micro Focus Application Automation Tools Plugin
SECURITY-2176 / CVE-2021-22511
Micro Focus Application Automation Tools Plugin 6.7 and earlier unconditionally disables SSL/TLS certificate validation for connections to Service Virtualization servers.
Micro Focus Application Automation Tools Plugin 6.8 no longer disables SSL/TLS certificate validation unconditionally by default. It provides an option to disable SSL/TLS certification validation for connections to Service Virtualization servers.
CloudBees Traditional Platforms should be upgraded to version 2.277.2.3
CloudBees Cloud Platforms should be upgraded to version 2.277.2.3
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to version 2.277.2.3
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.277.2.3
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.249.x.0.z) should be upgraded to version 126.96.36.199.4
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 188.8.131.52.4
CloudBees Jenkins Distribution should be upgraded to version 2.277.2.3