Stored XSS in CloudBees License Manager plugin
The CloudBees License Manager plugin now has protection against potential cross-site scripting (XSS) security vulnerabilities.
Missing Access Control in Skip Group
The Skip Builds / Apply permissions were not properly checked when applying a Skip Group from the CloudBees CI main page.
With this fix, Skip Builds / Apply permissions are required to apply a Skip Group.
Lack of access control on some read-only endpoints on CloudBees Backup Plugin
The CloudBees Backup Plugin does not perform permission checks in some methods implementing form population or form validation, making the methods accessible to attackers with Overall/Read access. Those methods include the following:
Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
Check existence of a directory in the Jenkins host file system.
Validate existence of a container in the Azure Storage Account configured at Jenkins.
Now the CloudBees Backup Plugin requires, at a minimum, the permission to configure the Backup/Restore job.