Based on Jenkins
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
- Attackers with Overall/Read, Agent/Secure, and Job/Read can associate any folder they can Job/Read with any agent they can Agent/Secure via CSRF when using the CloudBees Folders Plus Plugin (FNDJEN-1781)
To fix this issue, the use of the crumb issuer has been enforced in some methods and the web page with the authorized agents has been restricted.
This only affects installations that use the CloudBees Folders Plus Plugin.
- Cloud connection test implementations allow users with Jenkins.READ permission to steal credentials (FNDJEN-1851)
Access is now protected with RequierePOST annotations and new check for permissions.
- CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin
Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.
Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.
Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.
This only affects installations that use the Health Advisor by CloudBees Plugin.
- Specifying a matrix of one or more dimensions (NGPIPELINE-378)
The Declarative Pipeline Matrix directive allows users to execute a set of one or more Pipeline stages multiple times-once for every combination defined in the matrix. Matrix combinations are generated from static lists of predefined values. Filters can also be provided to exclude specific combinations.
The CloudBees Analytics Plugin collects metrics for analysis to help CloudBees make decisions about future product direction. The collected data is used to evaluate patterns of usage of our products.
For details about what data is collected, see Data collection for the CloudBees Analytics Plugin.
install-plugins.shscript used to customize the plugins to install in the Docker image not working (FNDJEN-1850)
In certain circumstances, the
install-plugins.shscript used to customize the plugins to install in the Docker image was preventing the instance from running.
install-plugins.shused to customize the Docker image now takes into account all the bundled plugins instead of only those in bootstrap scope, so the dependency management is correct and the instance is able to run always.
Kubernetes plugin was not pre-installed for version 220.127.116.11 (FNDJEN-1825)
Kubernetes and suggested plugins are now preinstalled by default starting with version 18.104.22.168.
- ATH failure in Gradle plugin (FNDJEN-1532)
Updated to version 1.35 of Gradle plugin to fix the failure as well as improve pipeline support.
- Connection to S3 for backup with HTTP only (no SSL) not working (CTR-1030)
This only affects installations that use the CloudBees Backup Plugin.
When overriding an S3 endpoint with a custom endpoint that used the HTTP protocol only, the URL was prefixed by "https://" and ended with an SSL error. With this fix, when an endpoint has only the HTTP protocol set and HTTPS is not present, then the URL begins with "http://".
- Update pipeline-build-step to 2.10 and workflow-cps to 2.78 (NGPIPELINE-878)
When the build step failed because the downstream build failed, it always reported failure, instead of the actual result of the downstream build. With this fix, the build step now reports the actual result of the downstream build when using the propagate option.