CloudBees Security Advisory 2020-06-22

This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.

Lack of Access Control in "CloudBees PSE Mesos Metrics Plugin" => SSRF + Credentials Leak

CPLT2-6238

Potential credentials exposure due to lack of privilege checking. Additionally a CSRF vulnerability due to lack of HTTP method check.

Fix: Add privilege check to class methods. Add requirement to only accept POST HTTP method.

CSRF in Miscellaneous Configuration Container Configuration

CTR-1643

We fixed a Cross-Site Request Forgery (CSRF) issue in Configuration Container configuration.

CSRF in Client Master Manage > Push Configuration

CTR-1644

We fixed a Cross-Site Request Forgery (CSRF) issue in Client Master configuration.

CSRF in Shared Agent Configuration

CTR-1645

We fixed a Cross-Site Request Forgery (CSRF) issue in Shared Agent configuration.

Severity

• CPLT2-6238: High

• CTR-1643: High

• CTR-1644: Medium

• CTR-1645: High

Fix

• CloudBees Traditional Platforms should be upgraded 2.235.1.2

• CloudBees Cloud Platforms should be upgraded 2.235.1.2

• CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.235.1.2

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.235.1.2

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.31.0.2 rev6