CloudBees CI Security Advisory2025-02-05
This advisory announces vulnerabilities in
,
and
CloudBees CI
Missing permission check in HA Controllers
BEE-54964
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]
Description:
HA Controllers with CloudBees CI 2.479.3.2 and earlier do not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to view system status details usually shown on the CloudBees CI High Availability Status page in the 'Cluster state' section.
HA Controllers with CloudBees CI 2.492.1.3 require Overall/SystemRead permission to access the affected HTTP endpoint.
Missing permission checks in CloudBees Unified Data Plugin
BEE-55048
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]
Description:
CloudBees Unified Data Plugin 766 and earlier does not perform permission checks in multiple HTTP endpoints.
This allows attackers with Overall/Read permission to access the content of the “Event Status for CloudBees Software Delivery Automation Analytics” page, as well as the content of the side panel of “Event Details” pages.
CloudBees Unified Data Plugin 768 requires Overall/Administer permission to access these HTTP endpoints.
Note
Warning
Fix
- CloudBees Traditional Platforms should be upgraded to 2.492.1.3
- CloudBees Cloud Platforms should be upgraded to 2.492.1.3
- CloudBees Unified Data Plugin should be updated to version 768
Subscribe to
security alerts
Get notified automatically when new vulnerabilities are disclosed.
Subscription confirmed
You'll now be notified automatically when new vulnerabilities are disclosed