Security Advisories

CloudBees Security Advisory2023-02-09

This advisory announces vulnerabilities in 

,

and

CloudBees CI

,

and

CloudBees Jenkins Platform

Git releases with critical vulnerabilities on CloudBees CI Docker images

SECURITY-3039 / CVE-2022-23521 and CVE-2022-41903

Severity (CVSS): [pill:Critical|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]

Description:

CloudBees provides Docker images for CloudBees CI platform. These Docker images include the git command line tool to interact with Git repositories.

Git releases published before 2023-01-17 are affected by the vulnerabilities CVE-2022-23521 and CVE-2022-41903. In the context of CloudBees CI, the former vulnerability could be exploited through crafted repository contents, allowing an attacker with commit access to a Git repository cloned on a controller or agent to achieve remote code execution.

Building software is the primary use case for CloudBees CI. To accomplish that, CloudBees CI invokes build scripts containing user-specified code, usually retrieved from an SCM like Git. As a result, this vulnerability only has a real impact in very narrow circumstances: when attackers can control repository contents, but are unable to change build steps, Jenkinsfiles, test code that gets executed by CloudBees CI, or similar.

A new version of these images with the proper Git 2.31.1-3 has been released.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.375.3.4
  • CloudBees Cloud Platforms should be upgraded to 2.375.3.4
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.346.x.0.z)) should be upgraded to 2.346.40.0.8

NOTE: Customers would need to update the image version in their build pod definitions

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed