CloudBees CI Security Advisory2025-10-15
This advisory announces vulnerabilities in
,
and
CloudBees CI

List/Move/Copy/Promote remote permission checks do not work for "trusted controller" security enforcement setting
BEE-56890
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L]
Description:
Operations Center Context Plugin 3.27808 and earlier do not apply the Authentication Mapping when listing jobs or executing Move/Copy/Promote job operations in other controllers.
This allows users on untrusted controllers to list jobs or execute Move/Copy/Promote job operations in other controllers.
Operations Center Context Plugin 3.27828 properly applies the Authentication Mapping for these operations.
[!NOTE]
These insecure operations that were allowed in previous versions will be blocked from this version. In case this is a desired behaviour, you need to modify the controller Authentication Mapping to Trusted for the affected controllers.
[/]
Note
Warning
Severity
- BEE-56890: Medium
Fix
- CloudBees Traditional Platforms should be upgraded to 2.528.1.29783
- CloudBees Cloud Platforms should be upgraded to 2.528.1.29783