CloudBees Security Advisory 2020-06-22

This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.

Lack of Access Control in "CloudBees PSE Mesos Metrics Plugin" => SSRF + Credentials Leak

CPLT2-6238

Potential credentials exposure due to lack of privilege checking. Additionally a CSRF vulnerability due to lack of HTTP method check.

Fix: Add privilege check to class methods. Add requirement to only accept POST HTTP method.

CSRF in Miscellaneous Configuration Container Configuration

CTR-1643

We fixed a Cross-Site Request Forgery (CSRF) issue in Configuration Container configuration.

CSRF in Client Master Manage > Push Configuration

CTR-1644

We fixed a Cross-Site Request Forgery (CSRF) issue in Client Master configuration.

CSRF in Shared Agent Configuration

CTR-1645

We fixed a Cross-Site Request Forgery (CSRF) issue in Shared Agent configuration.

Severity

CPLT2-6238: High
CTR-1643: High
CTR-1644: Medium
CTR-1645: High

Fix

CloudBees Traditional Platforms should be upgraded 2.235.1.2
CloudBees Cloud Platforms should be upgraded 2.235.1.2
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.235.1.2
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.235.1.2
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.31.0.2 rev6

More Security Advisories