Security Advisories

CloudBees CI Security Advisory2025-06-25

This advisory announces vulnerabilities in 

,

and

CloudBees CI

Path traversal vulnerability in Operations Center Context

BEE-56974

Severity (CVSS) :[pill:High|https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H]

Description:

Operations Center Context version 3.27663 and earlier does not sanitize the paths in the tar extraction. This allows attackers with Overall/Administer permission on connected controllers to write to arbitrary file paths on the operations center, ultimately allowing arbitrary remote command execution, for example, through init.groovy.d/ or by deploying a crafted plugin.

Operations Center Context 3.27663 or later sanitizes the path in the tar when extracting it thereby preventing malicious attacks.

CSRF vulnerability in Operations Center Context

BEE-56975

Severity (CVSS):[pill:Medium|https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N]

Description:

Operations Center Context before 3.27683 does not require POST for the HTTP endpoint to move or copy items, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to perform move/copy/promote actions.

Operations Center Context 3.27683 requires POST for the affected HTTP endpoint.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.504.3.28224
  • CloudBees Cloud Platforms should be upgraded to 2.504.3.28224

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed