Security Advisories

CloudBees CI Security Advisory2025-11-12

This advisory announces vulnerabilities in 

,

and

CloudBees CI

Missing permission checks on APIs /job/<name>/move/doValidate and /job/<name>/move/replicate

BEE-62889

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Description:

CloudBees CI 2.528.1.29795 / Operations Center Context Plugin 3.27951 and earlier do not perform permission checks when accessing the APIs /job/<name>/move/doValidate and /job/<name>/move/replicate.

While the validate and replicate operations are blocked by subsequent permission checks, this allows attackers with Item/Read permission to obtain information about the current system (core/plugin versions, disk free space, quiet down state) in the Operation Centers and Controllers.

CloudBees CI 2.528.2.34846 / Operations Center Context Plugin 3.27954 and later perform permission checks for the affected APIs.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.528.2.34846
  • CloudBees Cloud Platforms should be upgraded to 2.528.2.34846

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed