This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees Core.

BEE-177

Fix RBAC role definitions were pushed to connected clients even when RBAC was not being used.

BEE-2048

Protects the plugin against unauthorized deactivation of data collections for IO performance and TCP agent monitoring subsystem.

BEE-2047

Problem: CloudBees Assurance Plugin 2.276.0.2 and earlier does not require POST requests for the form submission endpoint reconfiguring the update center, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to configure the default update center removing the one already applied.

Fix Description: CloudBees Assurance Plugin 2.276.0.3 requires POST requests for the reconfigure HTTP endpoint.

BEE-3042

BasicDefaultsProvider contributed invalid roles to the default configuration. Generic, disabled, and dangerous permissions are now filtered out when creating the default rbac roles configuration.

• BEE-177: Medium

• BEE-2048: Medium

• BEE-2047: Medium

• BEE-3042: Medium

• CloudBees Traditional Platforms should be upgraded 2.289.1.2

• CloudBees Cloud Platforms should be upgraded 2.289.1.2

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.289.1.2

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.249.31.0.5