CloudBees Security Advisory 2020-03-03
This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
Information Disclosure in CloudBees Amazon AWS CLI Plugin
CTR-1006
A user with permission to see a job could list the AWS credential IDs available for a job, without the expected permission.
The plugin now correctly restricts the ability to list the AWS credential IDs available for a job to users who can configure the job.
Cross-Site Request Forgery in Operations Center Elasticsearch Provider
CPLT2-6188
The Elasticsearch provider configuration was vulnerable to Cross-Site Request Forgery attacks as some endpoints were using the GET method.
Corresponding methods now use the POST method
Severity
Fix
CloudBees Traditional Platforms should be upgraded 2.204.3.4
CloudBees Cloud Platforms should be upgraded 2.204.3.4
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.204.3.4
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.204.3.4
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.164.x.0.z) should be upgraded to version 2.164.33.0.1 rev3
CloudBees Jenkins Platform (fixed train) should be upgraded to 2.190.30.0.2
CloudBees Jenkins Distribution should be upgraded to version 2.204.3.4