Описание
Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin
CloudBees Docker Hub/Registry Notification Plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt.
In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these endpoints can be accessed without authentication.
This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1 requires a token as a part of webhook URLs, which will act as authentication for the webhook endpoint. As a result, all webhook URLs in the plugin will be different after updating the plugin.
Administrators can set the Java system property org.jenkinsci.plugins.registry.notification.webhook.JSONWebHook.DO_NOT_REQUIRE_API_TOKEN to true to disable this fix.
Пакеты
org.jenkins-ci.plugins:dockerhub-notification
<= 2.6.2
2.6.2.1
Связанные уязвимости
A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.