RELEASED: Public: November 13, 2024
Security advisory
To view the Security Advisory, refer to https://www.cloudbees.com/security-advisories/cloudbees-security-advisory-2024-11-13.
Security fixes
- Authentication bypass via "Single sign-on via CloudBees Software Delivery Automation" security realm (BEE-53106)
-
When using the "Single sign-on via CloudBees Software Delivery Automation" security realm, password-based authentication methods did not verify the provided password. This allowed anyone with network access to CloudBees CI to log in as any CloudBees CI user.
Users who authenticated this way did not have their group membership populated based on the underlying SSO configuration in CloudBees Software Delivery Automation. The available permissions for users only included those granted directly to them in the CloudBees CI authorization strategy configuration, including permissions granted to groups configured in CloudBees CI to which the user was a member.