CloudBees CI Security Advisory2025-01-08
This advisory announces vulnerabilities in
,
and
CloudBees CI

Missing permission check in CloudBees HashiCorp Vault Plugin
BEE-52995
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]
Description:
CloudBees HashiCorp Vault Plugin defines a HashiCorp Vault Authentications/Configure permission that controls whether users can configure folder-level HashiCorp Vault authentications used for retrieving secrets from HashiCorp Vault.
This permission is implied by Overall/Administer permission.
In CloudBees HashiCorp Vault Plugin 1.520 and earlier, folder-level HashiCorp Vault authentications were configured using a folder property on the folder in question. As a result, attackers with Job/Configure permission are able to modify folder-level HashiCorp Vault authentications by sending a crafted HTTP POST request to the /config.xml API endpoint of a folder.
Additionally, HashiCorp Vault authentications configured via the /config.xml API endpoint could also be read by attackers with Job/Configure permission, which could be used by attackers to decrypt AppRole secret IDs.
CloudBees HashiCorp Vault Plugin 1.521 changes how folder-level HashiCorp Vault authentications are configured so that they can no longer be read or written via the `/config.xml` API endpoint for folders.
CloudBees CI in FIPS mode bundles vulnerable version of the bctls-fips library
BEE-53155
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N]
Description:
CloudBees CI 2.479.2.3 and earlier, bundles in FIPS mode versions of the bctls-fips library vulnerable to CVE‐2024‐30171.
This vulnerability could allow attackers to exploit a timing attack during RSA key exchanges, known as "The Marvin Attack.". This may result in the exposure of the RSA private key.
NOTE: This only affects CloudBees CI in FIPS mode.
CloudBees CI 2.479.3.1 updates the bundled bctls-fips library to version 1.0.19, which is unaffected by this issue.
Note
Warning
Fix
- CloudBees Traditional Platforms should be upgraded to 2.479.3.1
- CloudBees Cloud Platforms should be upgraded to 2.479.3.1