CloudBees CI Security Advisory 2023-11-15

This advisory announces vulnerabilities in CloudBees CI

Descriptions 

Upgrade Hazelcast from 5.3.2 to 5.3.5 to fix a vulnerability that affects the transitive dependency org.json:json 

BEE-41471 / CVE-2023-5072 / GHSA-rm7j-f5g5-27vv
Severity (CVSS): High
Affected plugin: cloudbees-replication
Description:

The previous version of org.json:json vendored by Hazelcast was affected with CVE-2023-5072. The new version of Hazelcast has upgraded this dependency to avoid any issue.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.426.1.2

  • CloudBees Cloud Platforms should be upgraded to 2.426.1.2