RELEASED: Public: 2020-09-09
Lack of access control on some read-only endpoints on CloudBees Backup Plugin (CTR-1850)
The CloudBees Backup Plugin does not perform permission checks in some methods implementing form population or form validation, making the methods accessible to attackers with Overall/Read access. Those methods include the following:
Enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
Check existence of a directory in the Jenkins host file system.
Validate existence of a container in the Azure Storage Account configured at Jenkins.
Now the CloudBees Backup Plugin requires, at a minimum, the permission to configure the Backup/Restore job.