Missing CSRF and Permission Check Leading to SSRF
CTR-2797
CloudBees fixed a cross-site request forgery(CSRF) issue in the Client Master URL connection field on the Operations Center Client Master item manage page and added a new permission check.
Groups on items and nodes are ignored after the RBAC migration until the next restart
CTR-2757
Groups on items and nodes are ignored after the RBAC migration until the next restart
Groups are not available on items after the RBAC migration until the next restart. Customers will either experience a lack of permissions or an increase depending on the their permission configuration strategy (either adding more permissions in folders or to filter roles)
High Availability Status page unprotected
CTR-2364
The HA status page was not protected allowing anyone to view the status of a cluster
With this change, only those with Administer permissions are able to see the HA status page
Permissions are not correctly applied if RBAC on Views is disabled
CTR-2748
Since the November rolling release (2.249.3.1), it's not possible to define groups on views, so the expected permissions set should be coming from the view's parent item. However there was a bug which made the permission set to be the root one (ie. whatever is defined at root level).
This fix is making the view use the permission set coming from the view's owner. So if the view is inside a folder, then the folder groups and roles are applied. Or if the view is on the root level, the global groups and roles are applied.
RBAC on nested connected masters, shared agent, shared cloud and shared configuration are not migrated
CTR-2742,CTR-2740
A previous version update caused an issue with Operations Center items in nested folders RBAC configurations. This version corrects this Operations Center items in nested folders RBAC configurations issue by performing an additional migration of the RBAC configuration for all the OC items in the Jenkins instance not just the items defined at the top level
Upgraded Script Security plugin dependency
CTR-2238
The Script Security groovy-sandbox library dependency was included as version 1.20 which contains vulnerabilities.
With this fix, the Script Security plugin does not include the groovy-sandbox library dependency as version 1.20.
CVE-2017-18640 Located in bluesteel-cjoc.hpi Dependency SnakeYAML 1.10
CTR-2511
The snakeyaml:1.10 library contains a known security vulnerability.
With this change we are removing the dependency on that library.
Upgrade notes:
IMPORTANT - By removing the Snakeyaml dependency we are also removing old migration code, which means updates from versions of this plugin older than 1.1.0 (3 years old) will require a multistep upgrade.
The multistep upgrade involves two steps:
. Update to a version previous to this one.
. Update to this version.
If users skip a step in the multistep process, they could incur data loss.