CloudBees Security Advisory 2020-04-27

CloudBees Security Advisory 2020-04-27

This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Missing Permission Check Leads to SSRF in “VMware Autoscaling Plugin”

CTR-1293

When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without CONFIGURE permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.

With this fix, a permission has been added so users without CONFIGURE permission now get an authorization error when attempting to call the validation endpoint.

Cross-site scripting vulnerability in Wikitext Plugin

FNDJEN-2010

Wikitext Plugin 3.9 and earlier does not escape the formatted text using Media Wiki, Textile and TWiki syntax formatters.
This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

This version (3.12) escapes the formatted text before printing it out.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.222.2.1

  • CloudBees Cloud Platforms should be upgraded 2.222.2.1

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.222.2.1

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.222.2.1

  • CloudBees Jenkins Platform (fixed train) should be upgraded to 2.190.31.0.2

  • CloudBees Jenkins Distribution should be upgraded to version 2.222.2.1

More Security Advisories
Product Capabilities
Resources
Why CloudBees
© 2023 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.
Privacy PolicyTerms of ServiceCloudBees Vulnerability Reporting