CloudBees Security Advisory2023-04-05
This advisory announces vulnerabilities in
,
and
CloudBees CI
,
and
CloudBees Jenkins Platform
CloudBees Pipeline: Template used insecure SnakeYaml constructor
BEE-30448 / GHSA-mjmj-j48q-9wg2 / CVE-2022-1471
Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H]
Affected plugin: [pill:CloudBees Pipeline: Template|https://docs.cloudbees.com/plugins/ci/cloudbees-workflow-template]
Description:
In the CloudBees Pipeline: Template plugin, an insecure SnakeYaml constructor was used.
It is now using the SnakeYaml SafeConstructor.
CloudBees Backup plugin uses SHA-1 Hashes for the Approvers Map
BEE-29578
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N]
Affected plugin: [pill:CloudBees Backup|https://docs.cloudbees.com/plugins/ci/infradna-backup]
Description:
The CloudBees Backup plugin used SHA-1 hashes for the approvers map.
The plugin now uses SHA-256 for that approvers map.
Note
Warning
Fix
- CloudBees Cloud Platforms should be upgraded to 2.387.2.3
- CloudBees Traditional Platforms should be upgraded to 2.387.2.3
- CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.346.x.0.z)) should be upgraded to 2.346.40.0.14
Subscribe to
security alerts
Get notified automatically when new vulnerabilities are disclosed.
Subscription confirmed
You'll now be notified automatically when new vulnerabilities are disclosed