RELEASED: Public: November 13, 2024
Security advisory
To view the Security Advisory, refer to https://www.cloudbees.com/security-advisories/cloudbees-security-advisory-2024-11-13.
Security fixes
- Confidential information disclosure via aggregated node list in High Availability (HA) controllers (BEE-53014)
-
The High Availability (HA) controllers implemented a partial override for the REST API endpoint, listing all the agents in order to include complete and accurate information regardless of which replica served the request. This override mistakenly permitted requests via anonymous users, that in a secured controller would normally produce a 403 response code; and also served information from which job names could be deduced to users with Overall/Read access, but lacking Job/Read to some jobs with builds currently running on agents managed by other replicas. Now, the permission checks match those of non-High Availability (HA) controllers.