CloudBees Jenkins Platform 2.222.42.0.3

1 minute read

RELEASED: 2020-12-03

Based on Jenkins LTS2.222.42-cb-1

Fixed release

Security advisory

Security advisory

Security fixes

CSRF in Client Master connection URL field (CTR-2797)

CloudBees fixed a cross-site request forgery(CSRF) issue in the Client Master URL connection field on the operations center Client Master item manage page and added a new permission check.

The HA status page was not protected allowing anyone to view the status of a cluster

(CTR-2364) With this change, only those with Administer permissions are able to see the HA status page.

snakeyaml:1.10 dependency removed (CTR-2511)

The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.

Upgraded Script Security plugin dependency (CTR-2238)

The Script Security groovy-sandbox library dependency was included as version 1.20 which contains vulnerabilities.

With this fix, the Script Security plugin does not include the groovy-sandbox library dependency as version 1.20.

Plugin Usage page unprotected (FNDJEN-3225)

The Plugin Usage page didn’t check permissions.

The Plugin Usage page now checks that the user has Administer permissions.

Update commons-io to 2.8 (FNDJEN-3006)

Commons-io v2.6 has a security vulnerability that is not exploitable from the existing code.

Commons-io has been updated to 2.8.0 to remove this vulnerability.