CloudBees Security Advisory 2018-04-11
This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.
CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission
The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist.
The Jenkins CLI now returns the same error messages to unauthorized users independent of the existence of specified view or agent names.
Cross-site scripting vulnerability in confirmation dialogs displaying item names