CloudBees Security Advisory 2020-04-27
This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
Missing Permission Check Leads to SSRF in “VMware Autoscaling Plugin”
When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without CONFIGURE permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.
With this fix, a permission has been added so users without CONFIGURE permission now get an authorization error when attempting to call the validation endpoint.
Cross-site scripting vulnerability in Wikitext Plugin
Wikitext Plugin 3.9 and earlier does not escape the formatted text using Media Wiki, Textile and TWiki syntax formatters.
This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.
This version (3.12) escapes the formatted text before printing it out.
CloudBees Traditional Platforms should be upgraded 18.104.22.168
CloudBees Cloud Platforms should be upgraded 22.214.171.124
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 126.96.36.199
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 188.8.131.52
CloudBees Jenkins Platform (fixed train) should be upgraded to 184.108.40.206.2
CloudBees Jenkins Distribution should be upgraded to version 220.127.116.11