CloudBees Security Advisory 2023-04-05

This advisory announces vulnerabilities in CloudBees CI and CloudBees Jenkins Platform

CloudBees Pipeline: Template used insecure SnakeYaml constructor

BEE-30448 / GHSA-mjmj-j48q-9wg2 / CVE-2022-1471
Severity (CVSS): High
Affected plugin: CloudBees Pipeline: Template
Description:

In the CloudBees Pipeline: Template plugin, an insecure SnakeYaml constructor was used.

It is now using the SnakeYaml SafeConstructor.

CloudBees Backup plugin

BEE-29578
Severity (CVSS): Medium
Affected plugin: CloudBees Backup
Description:

The CloudBees Backup plugin used SHA-1 hashes for the approvers map.

The plugin now uses SHA-256 for that approvers map.

Severity

Fix

  • CloudBees Cloud Platforms should be upgraded to 2.387.2.3

  • CloudBees Traditional Platforms should be upgraded to 2.387.2.3

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.346.x.0.z)) should be upgraded to 2.346.40.0.14