CloudBees Security Advisory 2019-04-10

This advisory announces vulnerabilities in Jenkins

SECURITY-1289 / CVE-2019-1003049

The fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based CLI authentication caches.

This means that users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated.

SECURITY-1327 / CVE-2019-1003050

The f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.

The affected form control has been rewritten to no longer need to escape job URLs.

• SECURITY-1289: Medium

• SECURITY-1327: Medium

• CloudBees Traditional Platforms should be upgraded 2.164.2.1

• CloudBees Cloud Platforms should be upgraded 2.164.2.1

• CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.164.2.1

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.164.2.1

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.138.x.0.z) should be upgraded to version 2.138.41.0.1

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.107.x.0.z) should be upgraded to version 2.107.38.0.1

• CloudBees Jenkins Distribution should be upgraded to version 2.164.2.1