Introducing the CloudBees MCP Server, available now in Early Access →

CloudBees CI Security Advisory 2025-06-25

This advisory announces vulnerabilities in CloudBees CI

Path traversal vulnerability in Operations Center Context

BEE-56974
Severity (CVSS) : High
Description:

Operations Center Context version 3.27663 and earlier does not sanitize the paths in the tar extraction. This allows attackers with Overall/Administer permission on connected controllers to write to arbitrary file paths on the operations center, ultimately allowing arbitrary remote command execution, for example, through init.groovy.d/ or by deploying a crafted plugin.

Operations Center Context 3.27663 or later sanitizes the path in the tar when extracting it thereby preventing malicious attacks.

CSRF vulnerability in Operations Center Context

BEE-56975
Severity (CVSS): Medium
Description:

Operations Center Context before 3.27683 does not require POST for the HTTP endpoint to move or copy items, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to perform move/copy/promote actions.

Operations Center Context 3.27683 requires POST for the affected HTTP endpoint.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.504.3.28224

  • CloudBees Cloud Platforms should be upgraded to 2.504.3.28224

More Security Advisories

Continuously redefine what’s possible through software

© 2025 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.
Terms of Service