CloudBees Security Advisory 2020-03-03

This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Information Disclosure in CloudBees Amazon AWS CLI Plugin

CTR-1006

A user with permission to see a job could list the AWS credential IDs available for a job, without the expected permission.

The plugin now correctly restricts the ability to list the AWS credential IDs available for a job to users who can configure the job.

Cross-Site Request Forgery in Operations Center Elasticsearch Provider

CPLT2-6188

The Elasticsearch provider configuration was vulnerable to Cross-Site Request Forgery attacks as some endpoints were using the GET method.

Corresponding methods now use the POST method

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.204.3.4

  • CloudBees Cloud Platforms should be upgraded 2.204.3.4

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.204.3.4

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.204.3.4

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.164.x.0.z) should be upgraded to version 2.164.33.0.1 rev3

  • CloudBees Jenkins Platform (fixed train) should be upgraded to 2.190.30.0.2

  • CloudBees Jenkins Distribution should be upgraded to version 2.204.3.4

More Security Advisories
Product Capabilities
Resources
Why CloudBees
© 2023 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.
Privacy PolicyTerms of ServiceCloudBees Vulnerability Reporting