Detections
Analytics

Jenkins plugins Multiple Vulnerabilities (2025-05-14)

critical Nessus Plugin ID 236410

Synopsis

An application running on a remote web server host is affected by multiple vulnerabilities

Description

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

 - Critical In WSO2 Oauth Plugin 1.0 and earlier authentication claims are accepted without validation by the WSO2 Oauth security realm. This allows unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist. Sessions created this way do not have any additional authorities, i.e., memberships in groups. Even the authenticated group membership is absent. The impact of successfully creating a session this way depends on the authorization strategy and how it is configured. Commonly used authorization strategies behave as described below: The authorization strategy Logged-in users can do anything determines that users who logged in this way are not the anonymous user, and are granted Overall/Administer permission. The authorization strategy Role-based strategy provided by Role-based Authorization Strategy Plugin grants attackers permissions assigned directly to the specified user (or ambiguous permissions applicable to both users and groups). Permissions that would be granted through groups would not be granted. The authorization strategies Matrix-based security and Project-based Matrix Authorization Strategy provided by Matrix Authorization Strategy Plugin grant permissions assigned directly to the specified user (or ambiguous permissions applicable to both users and groups, typically predating version 3.0 of the plugin). Permissions that would be granted through groups would not be granted. As of publication of this advisory, there is no fix. Learn why we announce this. (CVE-2025-47889)

 - Critical In OpenID Connect Provider Plugin, claim templates can use environment variables for jobs and builds for dynamic content. The default claim template for build ID tokens uses the JOB_URL environment variable for the sub (Subject) claim. In OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables. When certain other plugins are installed which allow arbitrary environment variables to be overridden (e.g., Environment Injector Plugin), this allows attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services. In OpenID Connect Provider Plugin 111.v29fd614b_3617 the generation of build ID Tokens ignores environment variables if they have been overridden. (CVE-2025-47884)

 - High Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses. Health Advisor by CloudBees Plugin 374.376.v3a_41a_a_142efe escapes responses from the Jenkins Health Advisor server.
 (CVE-2025-47885)

 - Medium Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Cadence vManager Plugin 4.0.1-288.v8804b_ea_a_cb_7f requires POST requests and Item/Configure permission for the affected form validation method. (CVE-2025-47886, CVE-2025-47887)

 - Medium DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. As of publication of this advisory, there is no fix. Learn why we announce this. (CVE-2025-47888)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update Jenkins plugins to the following versions:
 - Cadence vManager Plugin to version 4.0.1-288.v8804b_ea_a_cb_7f or later
 - DingTalk Plugin: See vendor advisory
 - Health Advisor by CloudBees Plugin to version 374.376.v3a_41a_a_142efe or later
 - OpenID Connect Provider Plugin to version 111.v29fd614b_3617 or later
 - WSO2 Oauth Plugin: See vendor advisory

See vendor advisory for more details.

See Also

https://jenkins.io/security/advisory/2025-05-14

Plugin Details

Severity: Critical

ID: 236410

File Name: jenkins_security_advisory_2025-05-14_plugins.nasl

Version: 1.1

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 5/14/2025

Updated: 5/14/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-47889

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:jenkins:jenkins, cpe:/a:cloudbees:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Ease: No known exploits are available

Patch Publication Date: 5/14/2025

Vulnerability Publication Date: 5/14/2025

Reference Information

CVE: CVE-2025-47884, CVE-2025-47885, CVE-2025-47886, CVE-2025-47887, CVE-2025-47888, CVE-2025-47889