CloudBees Security Advisory 2020-06-22
CloudBees Security Advisory 2020-06-22
This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.
Lack of Access Control in "CloudBees PSE Mesos Metrics Plugin" => SSRF + Credentials Leak
CPLT2-6238
Potential credentials exposure due to lack of privilege checking. Additionally a CSRF vulnerability due to lack of HTTP method check.
Fix: Add privilege check to class methods. Add requirement to only accept POST HTTP method.
CSRF in Miscellaneous Configuration Container Configuration
CTR-1643
We fixed a Cross-Site Request Forgery (CSRF) issue in Configuration Container configuration.
CSRF in Client Master Manage > Push Configuration
CTR-1644
We fixed a Cross-Site Request Forgery (CSRF) issue in Client Master configuration.
CSRF in Shared Agent Configuration
CTR-1645
We fixed a Cross-Site Request Forgery (CSRF) issue in Shared Agent configuration.
Severity
Fix
CloudBees Traditional Platforms should be upgraded 2.235.1.2
CloudBees Cloud Platforms should be upgraded 2.235.1.2
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.235.1.2
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.235.1.2
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.31.0.2 rev6