CloudBees Security Advisory 2020-04-27
This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
Missing Permission Check Leads to SSRF in “VMware Autoscaling Plugin”
When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without CONFIGURE permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.
With this fix, a permission has been added so users without CONFIGURE permission now get an authorization error when attempting to call the validation endpoint.
Cross-site scripting vulnerability in Wikitext Plugin
Wikitext Plugin 3.9 and earlier does not escape the formatted text using Media Wiki, Textile and TWiki syntax formatters.
This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.
This version (3.12) escapes the formatted text before printing it out.