CloudBees Security Advisory 2020-06-02
This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.
Teams security model pushes rbac roles even when RBAC is not enabled
Fix RBAC role definitions were pushed to connected clients even when RBAC was not being used.
CSRF Vulnerabilities in Cloudbees-Support Plugin
Protects the plugin against unauthorized deactivation of data collections for IO performance and TCP agent monitoring subsystem.
CSRF Vulnerability in Cloudbees-Assurance Plugin
Problem: CloudBees Assurance Plugin 2.276.0.2 and earlier does not require POST requests for the form submission endpoint reconfiguring the update center, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to configure the default update center removing the one already applied.
Fix Description: CloudBees Assurance Plugin 2.276.0.3 requires POST requests for the reconfigure HTTP endpoint.
BasicDefaultsProvider contributes with an invalid rbac configuration
BasicDefaultsProvider contributed invalid roles to the default configuration. Generic, disabled, and dangerous permissions are now filtered out when creating the default rbac roles configuration.
CloudBees Traditional Platforms should be upgraded 2.289.1.2
CloudBees Cloud Platforms should be upgraded 2.289.1.2
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.289.1.2
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 18.104.22.168.5