CloudBees CI Security Advisory2025-06-25
This advisory announces vulnerabilities in
,
and
CloudBees CI

Path traversal vulnerability in Operations Center Context
BEE-56974
Severity (CVSS) :[pill:High|https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H]
Description:
Operations Center Context version 3.27663 and earlier does not sanitize the paths in the tar extraction. This allows attackers with Overall/Administer permission on connected controllers to write to arbitrary file paths on the operations center, ultimately allowing arbitrary remote command execution, for example, through init.groovy.d/ or by deploying a crafted plugin.
Operations Center Context 3.27663 or later sanitizes the path in the tar when extracting it thereby preventing malicious attacks.
CSRF vulnerability in Operations Center Context
BEE-56975
Severity (CVSS):[pill:Medium|https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N]
Description:
Operations Center Context before 3.27683 does not require POST for the HTTP endpoint to move or copy items, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to perform move/copy/promote actions.
Operations Center Context 3.27683 requires POST for the affected HTTP endpoint.
Note
Warning
Fix
- CloudBees Traditional Platforms should be upgraded to 2.504.3.28224
- CloudBees Cloud Platforms should be upgraded to 2.504.3.28224