CloudBees Security Advisory 2020-09-09

Stored XSS in CloudBees License Manager plugin

CTR-2235

The CloudBees License Manager plugin now has protection against potential cross-site scripting (XSS) security vulnerabilities.

Missing Access Control in Skip Group

CTR-1929

The Skip Builds / Apply permissions were not properly checked when applying a Skip Group from the CloudBees CI main page.

With this fix, Skip Builds / Apply permissions are required to apply a Skip Group.

Lack of access control on some read-only endpoints on CloudBees Backup Plugin

CTR-1850

The CloudBees Backup Plugin does not perform permission checks in some methods implementing form population or form validation, making the methods accessible to attackers with Overall/Read access. Those methods include the following:

• Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

• Check existence of a directory in the Jenkins host file system.

• Validate existence of a container in the Azure Storage Account configured at Jenkins.

Now the CloudBees Backup Plugin requires, at a minimum, the permission to configure the Backup/Restore job.

Severity

• CTR-2235: High

• CTR-1929: Medium

• CTR-1850: Medium

Fix

• CloudBees Traditional Platforms should be upgraded 2.249.1.2

• CloudBees Cloud Platforms should be upgraded 2.249.1.2

• CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.249.1.2

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.249.1.2

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.42.0.1-rev2

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.33.0.2-rev2