CloudBees Security Advisory 2018-04-11
This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.
CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission
The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist.
The Jenkins CLI now returns the same error messages to unauthorized users independent of the existence of specified view or agent names.
Cross-site scripting vulnerability in confirmation dialogs displaying item names
- CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 126.96.36.199
- CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 188.8.131.52
- CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 184.108.40.206.1
- CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.46.x.0.y) should be upgraded to version 220.127.116.11.1
- CloudBees Jenkins Team should be upgraded to version 18.104.22.168
- DEV@cloud is already protected