CloudBees Backup Plugin 3.38.14.3

1 minute read

RELEASED: Public: 2020-09-09

Security fixes

  • Lack of access control on some read-only endpoints on CloudBees Backup Plugin (CTR-1850)

    The CloudBees Backup Plugin does not perform permission checks in some methods implementing form population or form validation, making the methods accessible to attackers with Overall/Read access. Those methods include the following:

  • Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

  • Check existence of a directory in the Jenkins host file system.

  • Validate existence of a container in the Azure Storage Account configured at Jenkins.

    Now the CloudBees Backup Plugin requires, at a minimum, the permission to configure the Backup/Restore job.

New features

None.

Resolved issues

None.

Known issues

None.

Upgrade notes

None.