CloudBees CI Security Advisory2025-07-29
This advisory announces vulnerabilities in
,
and
CloudBees CI

Sensitive information disclosure in Operations Center Client Plugin
BEE-59168
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L]
Description:
The connection details sent between Operations Center Client Plugin 3.27718 and earlier and Operations Center Server Plugin 3.27718 and earlier are sent as part of the URL query parameter when connecting a controller to an Operations Center, exposing these details in HTTP logs, potentially sent to external systems.
Starting with version 3.27735, the connection details sent between Operations Center Client Plugin and Operations Center Server Plugin are transmitted in the body of a POST request when connecting a controller to an Operations Center.
Note: As part of the fix, users must be signed in to the controller before they can connect the controller to an Operations Center.
Missing permission checks in CloudBees Monitoring Plugin
BEE-57564
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]
Description:
CloudBees Monitoring Plugin version 2.305 and earlier does not check for permissions on the Alerts page and for the CLI commands, list-alert-conditions, check-alert-condition, and list-maintenance-windows. This allows attackers with Overall/Read permission to list alerts, their condition and see if they're active or not.
CloudBees Monitoring Plugin version 2.313 requires Alerts/View permission for the Alerts page and for the CLI commands list-alert-conditions, check-alert-condition and list-maintenance-windows.
Note
Warning
Fix
- CloudBees Traditional Platforms should be upgraded to 2.516.1.28665
- CloudBees Cloud Platforms should be upgraded to 2.516.1.28665
- CloudBees Monitoring Plugin should be updated to version 2.313