CloudBees VMWare Autoscaling Plugin 4.3.9

RELEASED: Public: 2020-04-27

Security advisory

TBD

Security fixes

  • Missing permission check lead to SSRF in VMware Autoscaling Plugin (CTR-1293)

    When using the Test Connection feature on the VMware Pools page, a missing permission check allowed a user without CONFIGURE permissions to call the validation endpoint, leading to a server-side request forgery (SSRF) vulnerability.

    With this fix, a permission has been added so users without CONFIGURE permission now get an authorization error when attempting to call the validation endpoint.

New features

None.

Resolved issues

None.

Known issues

None.

Upgrade notes

None.