CloudBees CI Security Advisory 2025-07-29

This advisory announces vulnerabilities in CloudBees CI

Sensitive information disclosure in Operations Center Client Plugin

BEE-59168
Severity (CVSS): Medium
Description:

The connection details sent between Operations Center Client Plugin 3.27718 and earlier and Operations Center Server Plugin 3.27718 and earlier are sent as part of the URL query parameter when connecting a controller to an Operations Center, exposing these details in HTTP logs, potentially sent to external systems.

Starting with version 3.27735, the connection details sent between Operations Center Client Plugin and Operations Center Server Plugin are transmitted in the body of a POST request when connecting a controller to an Operations Center.

Note: As part of the fix, users must be signed in to the controller before they can connect the controller to an Operations Center.

Missing permission checks in CloudBees Monitoring Plugin

BEE-57564
Severity (CVSS): Medium
Description:

CloudBees Monitoring Plugin version 2.305 and earlier does not check for permissions on the Alerts page and for the CLI commands, list-alert-conditions, check-alert-condition, and list-maintenance-windows. This allows attackers with Overall/Read permission to list alerts, their condition and see if they're active or not.

CloudBees Monitoring Plugin version 2.313 requires Alerts/View permission for the Alerts page and for the CLI commands list-alert-conditions, check-alert-condition and list-maintenance-windows.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.516.1.28665

  • CloudBees Cloud Platforms should be upgraded to 2.516.1.28665

  • CloudBees Monitoring Plugin should be updated to version 2.313