CloudBees Security Advisory 2021-05-05

This advisory announces vulnerabilities in Cloudbees, CloudBees Jenkins Distribution and CloudBees Jenkins Platform

Missing permission checks in ItemReplicationLive / ItemReplicationRecordXXE vulnerability in Operations Center Context Plugin

BEE-178

Previously, users could access the Move/Copy/Promote logs without the proper permissions.

This issue has been resolved. Now, only users with the privileges to trigger Move/Copy/Promote operations can access the logs.

Missing Permission Check When Creating a Folder With CyberArk Stores Configuration in CyberArk Credentials Plugin

BEE-181

Fixed a missing permission check in CloudBees CyberArk Credentials Provider Plugin.

Missing Permission Checks in Nectar-License Plugin

BEE-182

Fixed missing permission check in nectar-license.

Missing Permission Check in Cloudbees-Update-Center Plugin

BEE-183

A missing permission check was allowing a user with read permission on a custom update center to reload it.

The permission check has been restored so that it is required to have configuration privilege on the custom update center to reload it.

CSRF Vulnerability in Operations-Center-Context Plugin

BEE-184

Fix CSRF vulnerability in Operations Center Context

Missing Permission Checks Operations-Center-License Plugin

BEE-2340

Fix missing permission check in operations-center-license

All permissions given to authenticated user role when rbac configuration can not be loaded at startup in nectar-rbac Plugin

BEE-2742

Problem: When the nectar-rbac plugin fails to read its configuration at startup, it uses the default authorization, granting administrative permissions to all authenticated users.

Fix: Jenkins start up now fails if the nectar-rbac plugin cannot read its configuration file. A user with access to the JENKINS_HOME file system must fix the nectar-rbac.xml configuration file and restart CloudBees CI.

SSRF vulnerability in PlatformConfiguration.doCheckUrl in cloudbees-platform-common Plugin

BEE-3131

Problem: form validation for the CloudBees Software Delivery Automation location (URL) field was subject to a CSRF vulnerability and missing permission check.

Fix: this validation endpoint now requires POST method and administrator permission.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to version 2.277.4.2

  • CloudBees Cloud Platforms should be upgraded to version 2.277.4.2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to version 2.277.4.2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.277.4.2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.249.x.0.z) should be upgraded to version 2.249.31.0.3

  • CloudBees Jenkins Distribution should be upgraded to version 2.277.4.2