CloudBees CD/RO v2025.12.0

Fixed path traversal vulnerability that could allow an attacker to read arbitrary files from the server.

To address security vulnerabilities, the kubectl version included in agent images was updated to v1.33.0.

To address multiple vulnerabilities, the jsPDF library used by CloudBees CD/RO has been updated to v3.0.1.

To address security vulnerabilities, Apache Commons VFS2 was updated to v2.10.0.

To address security vulnerabilities, the Spring Security module was updated to v6.4.5.

To address security issues, OpenSearch was updated in CloudBees Analytics from v2.19.0 to v2.19.1.

To address security vulnerabilities, the Helm version included in agent images was updated to v3.18.0.

A path traversal vulnerability was identified, in which unsanitized input from the request URL could be used directly as a file path. This could allow attackers to craft malicious requests that access unauthorized files or directories outside the intended location.

To address security vulnerabilities, the kubectl-argo-rollouts version included in agent images was updated to v1.8.2.

To address security vulnerabilities, the ion-java library was updated to v1.10.5.

The information pop-up displayed next to the Component version in the Environment Inventory page has been expanded to include two additional fields: EnvironmentTier and Snapshot.

The Application column in the Environment Inventory table can now be sorted in ascending or descending order. By default, the applications in the column are displayed in ascending order.

The Default Filter in the Environment Inventory page is now enhanced with multi-line filter options such as More Filters, Less Filters and Clear Filters.

A case-insensitive search option has been added to the service accounts page, with Cancel and Next buttons now always visible in the footer. The Next button becomes enabled only when a service account is selected, streamlining the selection process.

DslSync now supports server properties during both import and export operations thereby enabling seamless backup and restoration of server-level configurations without manual intervention.

The Data Retention Policy is now enhanced to include workflows for purging and archiving data.

The Maintenance Mode feature under Server Settings now allows administrators to display a banner message during system maintenance downtime. This feature can be enabled for unscheduled maintenance activities such as upgrades, backups, patching, or system reconfiguration, helping prevent user interruptions, data inconsistencies, and concurrent deployments. During maintenance, non-administrative users are restricted from accessing the system and will see a banner message at the top of the login page. If the banner text extends beyond one line, users can click Read more to view the full message and Read less to collapse it back.

The Procedure Runs page now doesn’t show completed jobs that are marked for deletion through the Data Retention Policy. This provides a cleaner and more focused view of tasks that are still active and ongoing.

The dslsync CLI is enhanced to support the generation of following objects in YAML format:

Fixed an issue that caused emails with inline attachments to fail when sending.

Fixed a user interface state synchronization issue in the Deploy Application graph, ensuring the state now correctly reverts when a condition update fails.

Fixed an issue for the catalog item parameter types entry, dropdown, and radio with defaultValueDSL, where the default values for the input parameters were not set.

Fixed an issue where the “Expand all” toggle switch hid all steps that did not have the parent steps in the procedure runs. After the fix, only collapsible steps are collapsed, and all other steps remain visible.

Fixed a user interface flickering issue in the project picker search input within the wizard, while creating a release, pipeline, or other objects.

CloudBees CD/RO is now enhanced to support Oracle Wallet for configuring secure TLS/TCPS encrypted connections to Oracle 19C database.

Uploads above 200 KB were failing because Jetty’s default maxFormContentSize was overriding the application’s intended 500 MB upload limit. The configuration has now been corrected, and uploads up to 500 MB are supported as expected.

Fixed an issue where selecting an option with a duplicate value from the Manual Task drop-down menu caused the selected option to appear as an additional duplicated entry. Although this did not impact the task behavior, it is recommended to avoid defining duplicate values for drop-down–type parameters.

Fixed an issue where the resourceName parameter in the Seed Inventory API did not support cases where a resource pool name was provided. Supplying a pool name caused the API to error, even when the resources within the pool were correctly mapped under the utility resource for the specified environment.

Fixed flow name template migration to recognize and normalize legacy flow name template.

accessing commander log makes us logout after pod restart and the log file is not found sometimes

During server startup, you might observe a NullPointerException (NPE) log similar to the following:<br/>

When you provide input parameters in the PublishArtifacttoNexus procedure, only the required parameters display, even when all parameters are provided correctly. However, after the changes are saved, the input parameters no longer appear as expected in the pipeline.

SyncArtifactVersions procedure completes with success, rather than showing a warning, when manifest is missing and overwrite = false.

When you use the Automation Platform UI to upload and publish artifact files with non-English characters in their file names, the operation fails with the following error: Upload file: Exit code 1: ERROR: Publish failure: Unexpected retrieval exception for repository error.

Modifications of LDAP user data (such as email addresses) on an Active Directory server after registration in CloudBees CD/RO do not appear properly in user details (in the Automation Platform UI, the Deploy UI, or ectool) until the CloudBees CD/RO server is restarted.

(Microsoft Windows platforms only) If the Elasticsearch cluster used by CloudBees Analytics is in the red state (meaning that it only partly functions and some data is unavailable), then upgrade, reconfigure, and uninstall operations will not work. Since the Elasticsearch service cannot be stopped when a cluster is in a red state, you must stop the Elasticsearch service process from the task manager before running the installer for these actions.

The Microsoft Edge® browser does not work with SAML 2.0 and is missing a self-signed certificate during redirection from the identity provider to the service provider. Microsoft Edge® is not recommended for sign-in via SAML 2.0.

The LANG environment variable must be set to en.US.UTF-8; otherwise, the upgrade fails. Refer to link:https://docs.cloudbees.com/d/kb-360046953992[KBEC-00452 - Error installing CloudBees CD/RO 10.0.x when the LANG environment variable is different than en.US.UTF-8 for details.

Error prompts for runtimes started by a schedule are not visible if the schedule was created with a missing configuration.

The stage inclusion status in the Release Dashboard changes color after a stage is renamed.

If an application process step cannot expand to its child steps (because of an invalid run condition or an invalid formal parameter), then the step is not retried even if it uses retry on error error handling. The job eventually completes with an error.

The retry count for group tasks or rules using automated retry on error is missing from the Pipeline runtime page.

Multiple mapped environments with the same name from different projects are not supported in email notifications.

A project import might not include the path-to-production view.

All subreleases of a release must appear before the release in the DSL for the release-to-subrelease links to be created.

The ability to search by assignee in a Deployment Report is not available in the CloudBees Analytics report editor.

If Release Command Center was set up for Jira for user stories and defects, and the JIRA project name was mapped to the release project name using the field mapping projectName:releaseProjectName, then before upgrading to 10.0, the field mapping must be updated to mention the actual release project name using the following field mapping format: "release-project-name-in-CloudBees CD/RO":releaseProjectName.

Approval by email on manual tasks should not expect parameters.

If you use the ectool export to export your system configuration from a previous release, and then use ectool import to import the same configuration to a CloudBees CD/RO 10.0 server, some out-of-the-box content introduced in the releases since the version from which the full export was done, such as new or updated plugins, new catalog items, and persona-based menu items, may be missing in the CloudBees CD/RO server UI. It is recommended to use ectool export and ectool import only between servers at the same version.

SSO does not work unless PHP configuration is changed due to a security-related request. As a workaround, change session.cookie_samesite to "Strict" in /opt/electriccloud/electriccommander/apache/conf/php.ini and restart the web server.

CloudBees CD/RO v10.1 introduced new triggers and an updated UI for them. Pre-v10.1 triggers will continue to work but there is no UI to review or run them.

Before using the export command to perform a full data export from the CloudBees CD/RO database, delete any legacy definitions and references to service objects from applications and releases.

You can only revert changes for high-level design objects such as applications procedures, procedure steps, workflow definitions, and state definitions.

Enabling Recursively Traverse Group Hierarchy might impact system performance when the LDAP group hierarchy is traversed. The amount of impact varies with the configurations of the CloudBees CD/RO and LDAP servers, the depth of group hierarchy in the LDAP server, and the network latency between the servers. Ensure that your directory provider can handle the additional load for supporting nested group hierarchy traversal.

System performance might decrease if you disable change tracking at the server level and then re-enable it. Change tracking is enabled by default. For details about using change tracking, refer to change tracking.