In June we published a security advisory in which we mentioned fixing 3 CSRF vulnerabilities (CTR-1643, CTR-1644 and CTR-1645). We stated that these vulnerabilities were fixed in 220.127.116.11 and the fixed line 18.104.22.168.2 rev6. In fact, those releases contained those fixes as notified.
However, these vulnerabilities should have also been fixed in the subsequent releases of the 2.222 fixed line, but were not included due to a newly discovered issue with our release process . Specifically, the following releases should have included these fixes, but did not:
Upon discovering this omission, we immediately analysed the impact of this to our customers. We have confirmed that only these 3 issues (CTR-1643, CTR-1644 and CTR-1645) were omitted from those releases
We are producing a new security incremental (22.214.171.124.2 rev2) to address these vulnerabilities and we strongly recommend customers update to this version. We are treating this as a major incident and are already taking actions to fix the identified issue in our release process so that this cannot happen again.
Please accept our sincere apologies for this omission.
CSRF in Miscellaneous Configuration Container Configuration
We fixed a Cross-Site Request Forgery (CSRF) issue in Configuration Container configuration.
CSRF in Client Master Manage > Push Configuration
We fixed a Cross-Site Request Forgery (CSRF) issue in Client Master configuration.
CSRF in Shared Agent Configuration
We fixed a Cross-Site Request Forgery (CSRF) issue in Shared Agent configuration.
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 126.96.36.199.2-rev2