CloudBees Platform Common Plugin 1.407

1 minute read

RELEASED: Public: November 13, 2024

Security advisory

Security fixes

Authentication bypass via "Single sign-on via CloudBees Software Delivery Automation" security realm (BEE-53106)

When using the "Single sign-on via CloudBees Software Delivery Automation" security realm, password-based authentication methods did not verify the provided password. This allowed anyone with network access to CloudBees CI to log in as any CloudBees CI user.

Users who authenticated this way did not have their group membership populated based on the underlying SSO configuration in CloudBees Software Delivery Automation. The available permissions for users only included those granted directly to them in the CloudBees CI authorization strategy configuration, including permissions granted to groups configured in CloudBees CI to which the user was a member.

New features

None.

Feature enhancements

None.

Resolved issues

None.

Known issues

None.

Upgrade notes

None.