CloudBees CI Security Advisory2025-11-12
This advisory announces vulnerabilities in
,
and
CloudBees CI

Missing permission checks on APIs /job/<name>/move/doValidate and /job/<name>/move/replicate
BEE-62889
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]
Description:
CloudBees CI 2.528.1.29795 / Operations Center Context Plugin 3.27951 and earlier do not perform permission checks when accessing the APIs /job/<name>/move/doValidate and /job/<name>/move/replicate.
While the validate and replicate operations are blocked by subsequent permission checks, this allows attackers with Item/Read permission to obtain information about the current system (core/plugin versions, disk free space, quiet down state) in the Operation Centers and Controllers.
CloudBees CI 2.528.2.34846 / Operations Center Context Plugin 3.27954 and later perform permission checks for the affected APIs.
Note
Warning
Severity
- BEE-62899: Medium
Fix
- CloudBees Traditional Platforms should be upgraded to 2.528.2.34846
- CloudBees Cloud Platforms should be upgraded to 2.528.2.34846