CloudBees CI Security Advisory 2025-02-05

This advisory announces vulnerabilities in CloudBees CI

Missing permission check in HA Controllers

BEE-54964
Severity (CVSS): Medium
Description:

HA Controllers with CloudBees CI 2.479.3.2 and earlier do not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view system status details usually shown on the CloudBees CI High Availability Status page in the 'Cluster state' section.

HA Controllers with CloudBees CI 2.492.1.3 require Overall/SystemRead permission to access the affected HTTP endpoint.

Missing permission checks in CloudBees Unified Data Plugin

BEE-55048
Severity (CVSS): Medium
Description:

CloudBees Unified Data Plugin 766 and earlier does not perform permission checks in multiple HTTP endpoints.

This allows attackers with Overall/Read permission to access the content of the “Event Status for CloudBees Software Delivery Automation Analytics” page, as well as the content of the side panel of “Event Details” pages.

CloudBees Unified Data Plugin 768 requires Overall/Administer permission to access these HTTP endpoints.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.492.1.3

  • CloudBees Cloud Platforms should be upgraded to 2.492.1.3

  • CloudBees Unified Data Plugin should be updated to version 768

More Security Advisories

Continuously redefine what’s possible through software

© 2025 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.
Terms of Service