CloudBees CI Security Advisory 2025-08-20

This advisory announces vulnerabilities in CloudBees CI

Improved security in remote artifact Copy

BEE-57181
Severity (CVSS): Medium
Description:

Operations Center Context Plugin provides information about the actually selected source build in a generated temporary metadata file with special file name as part of the transferred artifacts for the “Copy archived artifacts from remote/local jobs” build step.

In Operations Center Context Plugin 3.27750 and earlier, users can create a file whose name matches the special format as part of the artifacts to be copied, allowing them to inject crafted content where the build log would show which build artifacts were copied from.

Operations Center Context Plugin 3.27782 aborts the remote artifact copying operation if the artifacts being copied contain a file whose name matches the generated metadata file naming convention.

User with permission to create controllers can take over another controller filesystem

BEE-58983
Severity (CVSS): High
Description:

In Controller Provisioning Kubernetes Plugin 3.27747 and earlier, it is possible to reuse an existing domain name for a new controller. While the new controller cannot connect to the Operations Center, a new pod is created and the persistent volume claim of the existing controller is mounted on it, making it available to the attacker.

In Controller Provisioning Kubernetes Plugin 3.27782, if anyone tries to set up a controller with an existing domain name, an error message is displayed and the pod is not created.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.516.2.28983

  • CloudBees Cloud Platforms should be upgraded to 2.516.2.28983