RELEASED: 2020-01-29
Based on Jenkins
LTS2.164.33-cb-1
Fixed release
Security advisory
Security advisory
-
CloudBees Security Advisory 2020-01-29
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
Security fixes
- Attackers with Overall/Read, Agent/Secure, and Job/Read can associate any folder they can Job/Read with any agent they can Agent/Secure via CSRF when using the CloudBees Folders Plus Plugin (FNDJEN-1781)
-
To fix this issue, the use of the crumb issuer has been enforced in some methods and the web page with the authorized agents has been restricted.
This only affects installations that use the CloudBees Folders Plus Plugin.
- Cloud connection test implementations allow users with Jenkins.READ permission to steal credentials (FNDJEN-1851)
-
Access is now protected with RequierePOST annotations and new check for permissions.
- CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin
-
SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)
Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.
Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.
Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.
This only affects installations that use the Health Advisor by CloudBees Plugin.
New features
- Specifying a matrix of one or more dimensions (NGPIPELINE-378)
-
The Declarative Pipeline Matrix directive allows users to execute a set of one or more Pipeline stages multiple times-once for every combination defined in the matrix. Matrix combinations are generated from static lists of predefined values. Filters can also be provided to exclude specific combinations.
Resolved issues
- ATH failure in Gradle plugin (FNDJEN-1532)
-
Updated to version 1.35 of Gradle plugin to fix the failure as well as improve pipeline support.
- Connection to S3 for backup with HTTP only (no SSL) not working (CTR-1030)
-
This only affects installations that use the CloudBees Backup Plugin.
When overriding an S3 endpoint with a custom endpoint that used the HTTP protocol only, the URL was prefixed by "https://" and ended with an SSL error. With this fix, when an endpoint has only the HTTP protocol set and HTTPS is not present, then the URL begins with "http://".
- Update pipeline-build-step to 2.10 and workflow-cps to 2.78 (NGPIPELINE-878)
-
This only affects installations that use the Pipeline: Build Step and Pipeline: Groovy plugins.
When the build step failed because the downstream build failed, it always reported failure, instead of the actual result of the downstream build. With this fix, the build step now reports the actual result of the downstream build when using the propagate option.