Security Advisories

CloudBees Security Advisory2023-05-03

This advisory announces vulnerabilities in 

,

and

CloudBees CI

,

and

CloudBees Jenkins Platform

Low-Privilege Users to Run Restores at Will

BEE-29577

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N]

Affected plugins: [pill:infradna-backup|https://docs.cloudbees.com/plugins/ci/infradna-backup]

Description:

A user with Job/Configure privilege could restore backups when the lack of permissions should prevent it.

Backup Jobs Can Be Broken by Low-Privilege User With Job/Configure

BEE-29576

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N]

Affected plugins: [pill:infradna-backup|https://docs.cloudbees.com/plugins/ci/infradna-backup]

Description:

A user with Job/Configure privilege could break backup jobs created by other users

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.387.3.3
  • CloudBees Cloud Platforms should be upgraded to 2.387.3.3.
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.346.x.0.z)) should be upgraded to 2.346.40.0.16

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed