CloudBees Security Advisory 2020-04-27
This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
Missing Permission Check Leads to SSRF in “VMware Autoscaling Plugin”
CTR-1293
When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without CONFIGURE permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.
With this fix, a permission has been added so users without CONFIGURE permission now get an authorization error when attempting to call the validation endpoint.
Cross-site scripting vulnerability in Wikitext Plugin
FNDJEN-2010
Wikitext Plugin 3.9 and earlier does not escape the formatted text using Media Wiki, Textile and TWiki syntax formatters.
This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.
This version (3.12) escapes the formatted text before printing it out.