CloudBees Security Advisory 2020-09-09
This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI
Stored XSS in CloudBees License Manager plugin
CTR-2235
The CloudBees License Manager plugin now has protection against potential cross-site scripting (XSS) security vulnerabilities.
Missing Access Control in Skip Group
CTR-1929
The Skip Builds / Apply permissions were not properly checked when applying a Skip Group from the CloudBees CI main page.
With this fix, Skip Builds / Apply permissions are required to apply a Skip Group.
Lack of access control on some read-only endpoints on CloudBees Backup Plugin
CTR-1850
The CloudBees Backup Plugin does not perform permission checks in some methods implementing form population or form validation, making the methods accessible to attackers with Overall/Read access. Those methods include the following:
Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
Check existence of a directory in the Jenkins host file system.
Validate existence of a container in the Azure Storage Account configured at Jenkins.
Now the CloudBees Backup Plugin requires, at a minimum, the permission to configure the Backup/Restore job.
Severity
Fix
CloudBees Traditional Platforms should be upgraded 2.249.1.2
CloudBees Cloud Platforms should be upgraded 2.249.1.2
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.249.1.2
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.249.1.2
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.42.0.1-rev2
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.33.0.2-rev2