RELEASED: Public: 2024-11-RELEASE-DATE}
Security advisory
To view the Security Advisory, refer to https://www.cloudbees.com/security-advisories/cloudbees-security-advisory-2024-11-13.
Security fixes
- Confidential information disclosure via aggregated node list in High Availability (HA) controllers (BEE-53014)
-
The High Availability (HA) controllers implemented a partial override for the REST API endpoint, listing all agents in order to include complete and accurate information regardless of which replica served the request. This override mistakenly permitted requests via anonymous users, that in a secured controller would normally produce a 403 response code; and also served information from the job names that could be deduced to users with Overall/Read access, but missing Job/Read permission to some jobs with builds that currently run on agents managed by other replicas. Now, the permission checks match those of non-High Availability (HA) controllers.