CloudBees Security Advisory 2020-04-27

CloudBees Security Advisory 2020-04-27

This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Missing Permission Check Leads to SSRF in “VMware Autoscaling Plugin”


When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without CONFIGURE permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.

With this fix, a permission has been added so users without CONFIGURE permission now get an authorization error when attempting to call the validation endpoint.

Cross-site scripting vulnerability in Wikitext Plugin


Wikitext Plugin 3.9 and earlier does not escape the formatted text using Media Wiki, Textile and TWiki syntax formatters.
This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

This version (3.12) escapes the formatted text before printing it out.



  • CloudBees Traditional Platforms should be upgraded

  • CloudBees Cloud Platforms should be upgraded

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version

  • CloudBees Jenkins Platform (fixed train) should be upgraded to

  • CloudBees Jenkins Distribution should be upgraded to version