This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
Information Disclosure in CloudBees Amazon AWS CLI Plugin
A user with permission to see a job could list the AWS credential IDs available for a job, without the expected permission.
The plugin now correctly restricts the ability to list the AWS credential IDs available for a job to users who can configure the job.
Cross-Site Request Forgery in Operations Center Elasticsearch Provider
The Elasticsearch provider configuration was vulnerable to Cross-Site Request Forgery attacks as some endpoints were using the GET method.
Corresponding methods now use the POST method