Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 40 million developers.Sign up
CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin
Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.
Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.
Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.
October 16th, 2019
3.0 is here!!!
This release changed a lot of Java APIs, thus the new major release number. The plugin remains 100% compatible with previous settings if you upgrade but if you are managing this plugin with groovy you will have to update your scripts (see the documentation and troubleshooting guide).
Thanks to all contributors
🚀 New features and improvements
Jenkins Configuration as Code
This new version adds compatibility with Jenkins Configuration as Code. Here is a sample to configure it:
advisor: acceptToS: true email: "email@example.com" ccs: - "firstname.lastname@example.org" - "email@example.com" excludedComponents: - "ItemsContent" - "GCLogs" - "Agents" - "AgentsConfigFile" - "ConfigFileComponent" - "RootCAs" - "SlaveLogs" - "OtherConfigFilesComponent" - "HeapUsageHistogram" nagDisabled: false
- JENKINS-59767 - Replace the comma separated list for CC by a list of emails (#55)
- JENKINS-59697 - Add an Apply button (#53)
- JENKINS-59707 - Improve UX and users feedbacks
The User Experience was reviewed to provide better user feedback during the setup and the usage of the plugin.
Administrative Monitors and the configuration screen were improved to provide a better ergonomics and provide a better look and feel.
if you install for the first time this plugin and don't yet have the Support Core plugin installed it is required to restart your master after the installation.
Support Core is a dependency of Jenkins Health Advisor by CloudBees and for now, this one doesn't support to be dynamically loaded (JENKINS-59775 / JENKINS-59696). If you don't restart your master you can fill you server logs.
October 4th, 2019
This release is improving the user experience (logs, configuration UI, ...) and upgrades the jenkins core requirement to 2.138.4.
It is also rebranding the plugin to adopt its new name "Jenkins Health Advisor by CloudBees" and use its new logo.
- JENKINS-59454 - Increase Advisor bundle generation delay to 30mins (#31) @Evildethow
- JENKINS-59613 - Rename "CloudBees Jenkins Advisor" to "Jenkins Health Advisor by CloudBees" (#32) @aheritier
- JENKINS-59614 - New logo for Jenkins Health Advisor by CloudBees (#34) @aheritier
- JENKINS-59618 - Upgrade plugin parent POM 3.46 -> 3.50 + set the new plugin metadata (#34) @aheritier
- JENKINS-59629 - Not validating the TOS is confusing (#35) @Evildethow
- JENKINS-59644 - Bump the Jenkins core requirement to 2.138.4 ( + cleanup ) (#36) @aheritier
- JENKINS-56647 - Upgrade support-core dependency to 2.62 (#38) @aheritier
- JENKINS-59648 - UX improvements (#37) @aheritier
August 22nd, 2019
- Advisor is back for OSS users
- All changes done in releases 2.0 to 2.9 are documented in these release notes
December 15th, 2017
- Change upload recurrence period from minutes to hours
- Remove Grand Central account requirement
- Update parent to 2.34, switch to wiremock-standalone and update dependencies
November 17th, 2017
- Now supports 2.19.3+!
- Connectivity indicator display on configuration page
- Logging improvements
- Additional test coverage