CloudBees Role-Based Access Control Plugin 5.32.2

1 minute read

RELEASED: Public: 2020-11-04

Security fixes

Fix vulnerability on CloudBees Role-Based Access Control (RBAC) Plugin (CTR-430)

When using the CloudBees Role-Based Access Control (RBAC) Plugin, any user with the Item.CONFIGURE ( or View.CONFIGURE, Computer.CONFIGURE) permission on an item was able to override the RBAC configuration of that item by uploading a new config.xml file, allowing them to escalate permissions.

To fix this vulnerability, CloudBees moved the RBAC configurations of each item (if any) from their config.xml file to a new file named nectar-rbac.xml, and saved it in the item’s folder. This migration of the RBAC configurations will happen automatically on startup.

RBAC groups and role filters can no longer be configured on views, and those previously configured are not loaded. This change only affects the views themselves, not the items within them. Previous permissions applied to the items are still enforced. You can enable the ability to configure RBAC groups and role filters at the views level by setting the system property nectar.plugins.rbac.groups.ViewProxyGroupContainer.enabled=true. However, enabling this ability is not recommended for security reasons. See the Upgrade notes to better understand this change.

New features

None.

Resolved issues

None.

Known issues

Items, including but not limited to folders, shared clouds, shared agents, and shared configurations, defined within a folder do not have their RBAC configuration correctly migrated with version 2.249.3.1 (CTR-2740,CTR-2742)

A fix for this critical regression is included with version 2.249.3.2.

Upgrade notes

None.