CloudBees Security Advisory2020-09-09
This advisory announces vulnerabilities in
,
and
CloudBees Jenkins Distribution
,
and
CloudBees Jenkins Platform
,
and
CloudBees CI

Stored XSS in CloudBees License Manager plugin
CTR-2235
The CloudBees License Manager plugin now has protection against potential cross-site scripting (XSS) security vulnerabilities.
Missing Access Control in Skip Group
CTR-1929
The Skip Builds / Apply permissions were not properly checked when applying a Skip Group from the CloudBees CI main page.
With this fix, Skip Builds / Apply permissions are required to apply a Skip Group.
Lack of access control on some read-only endpoints on CloudBees Backup Plugin
CTR-1850
The CloudBees Backup Plugin does not perform permission checks in some methods implementing form population or form validation, making the methods accessible to attackers with Overall/Read access. Those methods include the following:
- Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
- Check existence of a directory in the Jenkins host file system.
- Validate existence of a container in the Azure Storage Account configured at Jenkins.
Now the CloudBees Backup Plugin requires, at a minimum, the permission to configure the Backup/Restore job.
Note
Warning
Fix
- CloudBees Traditional Platforms should be upgraded 2.249.1.2
- CloudBees Cloud Platforms should be upgraded 2.249.1.2
- CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.249.1.2
- CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.249.1.2
- CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.42.0.1-rev2
- CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.33.0.2-rev2