Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.

Jenkins versions prior to 2.582 and prior to LTS 2.516.3 are affected by a lack of permission check for the authenticated user profile dropdown menu. A remote and unauthenticated attacker can obtain limited information about the Jenkins configuration agent and builds.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the b9b668f0-96ec-4568-b618-2edea45d6933 advisory.

    Jenkins Security Advisory:
    HTTP/2 denial of service vulnerability in bundled Jetty     Missing permission check allows obtaining agent names      Missing permission check in authenticated users' profile menu     Log message injection vulnerability

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.516.3 or Jenkins weekly prior to 2.528. It is, therefore, affected by multiple vulnerabilities:

  - In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client     may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that     should not be sent in a particular stream state, therefore forcing the server to consume resources such as     CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window     size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-     window_update , the server should send a RST_STREAM frame. The client can now open another stream and send     another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this     case does not exceed the max number of concurrent streams, yet the client is able to create an enormous     amount of streams in a short period of time. The attack can be performed with other conditions (for     example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: *     https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h (CVE-2025-5115)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
115008	Jenkins Sidepanel Unauthorized Agent/Queue Exposure	Web App Scanning	Component Vulnerability	medium
265360	FreeBSD : jenkins -- multiple vulnerabilities (b9b668f0-96ec-4568-b618-2edea45d6933)	Nessus	FreeBSD Local Security Checks	high
265325	Jenkins LTS < 2.516.3 / Jenkins weekly < 2.528 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2025-59474

medium

Tenable Plugins

medium

high

high