Missing permission check in CloudBees HashiCorp Vault Plugin
BEE-52995
Severity (CVSS): Medium
Description:
CloudBees HashiCorp Vault Plugin defines a HashiCorp Vault Authentications/Configure permission that controls whether users can configure folder-level HashiCorp Vault authentications used for retrieving secrets from HashiCorp Vault.
This permission is implied by Overall/Administer permission.
In CloudBees HashiCorp Vault Plugin 1.520 and earlier, folder-level HashiCorp Vault authentications were configured using a folder property on the folder in question. As a result, attackers with Job/Configure permission are able to modify folder-level HashiCorp Vault authentications by sending a crafted HTTP POST request to the /config.xml API endpoint of a folder.
Additionally, HashiCorp Vault authentications configured via the /config.xml API endpoint could also be read by attackers with Job/Configure permission, which could be used by attackers to decrypt AppRole secret IDs.
CloudBees HashiCorp Vault Plugin 1.521 changes how folder-level HashiCorp Vault authentications are configured so that they can no longer be read or written via the `/config.xml` API endpoint for folders.
CloudBees CI in FIPS mode bundles vulnerable version of the bctls-fips library
BEE-53155
Severity (CVSS): Medium
Description:
CloudBees CI 2.479.2.3 and earlier, bundles in FIPS mode versions of the bctls-fips library vulnerable to CVE‐2024‐30171.
This vulnerability could allow attackers to exploit a timing attack during RSA key exchanges, known as "The Marvin Attack.". This may result in the exposure of the RSA private key.
NOTE: This only affects CloudBees CI in FIPS mode.
CloudBees CI 2.479.3.1 updates the bundled bctls-fips library to version 1.0.19, which is unaffected by this issue.