Fedora Account System
Red Hat Associate
Red Hat Customer
Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests. This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
External References: https://www.openwall.com/lists/oss-security/2020/09/16/3 https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961
In the jenkins-2-plugins package there is shipped the Blue Ocean Plugin in version 1.10.2 (in OpenShift 4.5 and 3.11).
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-2255
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:5102 https://access.redhat.com/errata/RHSA-2020:5102
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days