CloudBees CI Security Advisory 2025-06-25

This advisory announces vulnerabilities in CloudBees CI

Path traversal vulnerability in Operations Center Context

BEE-56974
Severity (CVSS) :
High
Description:

Operations Center Context version 3.27663 and earlier does not sanitize the paths in the tar extraction. This allows attackers with Overall/Administer permission on connected controllers to write to arbitrary file paths on the operations center, ultimately allowing arbitrary remote command execution, for example, through init.groovy.d/ or by deploying a crafted plugin.

Operations Center Context 3.27663 or later sanitizes the path in the tar when extracting it thereby preventing malicious attacks.

CSRF vulnerability in Operations Center Context

BEE-56975
Severity (CVSS):
Medium
Description:

Operations Center Context before 3.27683 does not require POST for the HTTP endpoint to move or copy items, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to perform move/copy/promote actions.

Operations Center Context 3.27683 requires POST for the affected HTTP endpoint.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.504.3.28224

  • CloudBees Cloud Platforms should be upgraded to 2.504.3.28224