CloudBees Security Advisory 2020-06-22
This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.
Lack of Access Control in "CloudBees PSE Mesos Metrics Plugin" => SSRF + Credentials Leak
Potential credentials exposure due to lack of privilege checking. Additionally a CSRF vulnerability due to lack of HTTP method check.
Fix: Add privilege check to class methods. Add requirement to only accept POST HTTP method.
CSRF in Miscellaneous Configuration Container Configuration
We fixed a Cross-Site Request Forgery (CSRF) issue in Configuration Container configuration.
CSRF in Client Master Manage > Push Configuration
We fixed a Cross-Site Request Forgery (CSRF) issue in Client Master configuration.
CSRF in Shared Agent Configuration
We fixed a Cross-Site Request Forgery (CSRF) issue in Shared Agent configuration.