RELEASED: 2020-12-03
Based on Jenkins
LTS2.222.42-cb-1
Fixed release
Security advisory
Security advisory
-
CloudBees Security Advisory 2020-12-03
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees CI.
Security fixes
- CSRF in Client Master connection URL field (CTR-2797)
-
CloudBees fixed a cross-site request forgery(CSRF) issue in the Client Master URL connection field on the operations center Client Master item manage page and added a new permission check.
- The HA status page was not protected allowing anyone to view the status of a cluster
-
(CTR-2364) With this change, only those with Administer permissions are able to see the HA status page.
- snakeyaml:1.10 dependency removed (CTR-2511)
-
The snakeyaml:1.10 library contains a known security vulnerability. With this change we are removing the dependency on that library.
- Upgraded Script Security plugin dependency (CTR-2238)
-
The Script Security groovy-sandbox library dependency was included as version 1.20 which contains vulnerabilities.
With this fix, the Script Security plugin does not include the groovy-sandbox library dependency as version 1.20.
- Plugin Usage page unprotected (FNDJEN-3225)
-
The Plugin Usage page didn’t check permissions.
The Plugin Usage page now checks that the user has Administer permissions.
- Update commons-io to 2.8 (FNDJEN-3006)
-
Commons-io v2.6 has a security vulnerability that is not exploitable from the existing code.
Commons-io has been updated to 2.8.0 to remove this vulnerability.