Security Advisory Impact
CloudBees Security Advisory 2021-05-05
This advisory announces vulnerabilities in CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI
Missing permission checks in ItemReplicationLive / ItemReplicationRecordXXE vulnerability in Operations Center Context Plugin
Previously, users could access the Move/Copy/Promote logs without the proper permissions.
This issue has been resolved. Now, only users with the privileges to trigger Move/Copy/Promote operations can access the logs.
Missing Permission Check When Creating a Folder With CyberArk Stores Configuration in CyberArk Credentials Plugin
Fixed a missing permission check in CloudBees CyberArk Credentials Provider Plugin.
Missing Permission Checks in Nectar-License Plugin
Fixed missing permission check in nectar-license.
Missing Permission Check in Cloudbees-Update-Center Plugin
A missing permission check was allowing a user with read permission on a custom update center to reload it.
The permission check has been restored so that it is required to have configuration privilege on the custom update center to reload it.
CSRF Vulnerability in Operations-Center-Context Plugin
Fix CSRF vulnerability in Operations Center Context
Missing Permission Checks Operations-Center-License Plugin
Fix missing permission check in operations-center-license
All permissions given to authenticated user role when rbac configuration can not be loaded at startup in nectar-rbac Plugin
Problem: When the nectar-rbac plugin fails to read its configuration at startup, it uses the default authorization, granting administrative permissions to all authenticated users.
Fix: Jenkins start up now fails if the nectar-rbac plugin cannot read its configuration file. A user with access to the JENKINS_HOME file system must fix the nectar-rbac.xml configuration file and restart CloudBees CI.
SSRF vulnerability in PlatformConfiguration.doCheckUrl in cloudbees-platform-common Plugin
Problem: form validation for the CloudBees Software Delivery Automation location (URL) field was subject to a CSRF vulnerability and missing permission check.
Fix: this validation endpoint now requires POST method and administrator permission.
CloudBees Traditional Platforms should be upgraded to version 2.277.4.2
CloudBees Cloud Platforms should be upgraded to version 2.277.4.2
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to version 2.277.4.2
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.277.4.2
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.249.x.0.z) should be upgraded to version 126.96.36.199.3
CloudBees Jenkins Distribution should be upgraded to version 2.277.4.2