Security Advisory Impact
CloudBees Security Advisory 2020-09-09
This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI
Stored XSS in CloudBees License Manager plugin
The CloudBees License Manager plugin now has protection against potential cross-site scripting (XSS) security vulnerabilities.
Missing Access Control in Skip Group
The Skip Builds / Apply permissions were not properly checked when applying a Skip Group from the CloudBees CI main page.
With this fix, Skip Builds / Apply permissions are required to apply a Skip Group.
Lack of access control on some read-only endpoints on CloudBees Backup Plugin
The CloudBees Backup Plugin does not perform permission checks in some methods implementing form population or form validation, making the methods accessible to attackers with Overall/Read access. Those methods include the following:
Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
Check existence of a directory in the Jenkins host file system.
Validate existence of a container in the Azure Storage Account configured at Jenkins.
Now the CloudBees Backup Plugin requires, at a minimum, the permission to configure the Backup/Restore job.
CloudBees Traditional Platforms should be upgraded 22.214.171.124
CloudBees Cloud Platforms should be upgraded 126.96.36.199
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 188.8.131.52
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 184.108.40.206
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 220.127.116.11.1-rev2
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 18.104.22.168.2-rev2