RELEASED: Public: 2020-11-04
Security fixes
- Fix vulnerability on CloudBees Role-Based Access Control (RBAC) Plugin (CTR-430)
-
When using the CloudBees Role-Based Access Control (RBAC) Plugin, any user with the
Item.CONFIGURE
( orView.CONFIGURE
,Computer.CONFIGURE
) permission on an item was able to override the RBAC configuration of that item by uploading a newconfig.xml
file, allowing them to escalate permissions.To fix this vulnerability, CloudBees moved the RBAC configurations of each item (if any) from their
config.xml
file to a new file namednectar-rbac.xml
, and saved it in the item’s folder. This migration of the RBAC configurations will happen automatically on startup.RBAC groups and role filters can no longer be configured on views, and those previously configured are not loaded. This change only affects the views themselves, not the items within them. Previous permissions applied to the items are still enforced. You can enable the ability to configure RBAC groups and role filters at the views level by setting the system property
nectar.plugins.rbac.groups.ViewProxyGroupContainer.enabled=true
. However, enabling this ability is not recommended for security reasons. See the Upgrade notes to better understand this change.