Jenkins reports vulnerabilities in multiple plugins, at least two critical
Take action: Check if you are running any of the affected Jenkins plugins, especially OpenID Connect Provider, WSO2 Oauth and Health Advisor. If you do, update them ASAP where possible. If you are using WSO2 Oauth, disable the plugin or while you are moving to a new one implement network-level isolation. Then proceed to patch all the rest, or disable plugins without patch.
Learn More
The Jenkins project has issued a security advisory on May 14, 2025, detailing multiple vulnerabilities across five popular plugins. These security flaws, could potentially allow attackers to bypass authentication, execute malicious code, or gain unauthorized access to sensitive systems and services.
Affected Plugins and Vulnerabilities
- CVE-2025-47884 (CVSS score 9.1) - OpenID Connect Provider Plugin - Insufficient validation of claims allowing manipulation of build ID tokens. It allows attackers with job configuration capabilities to craft build ID tokens that impersonate trusted jobs. This occurs because the plugin uses potentially overridden values of environment variables when generating build ID tokens. When certain other plugins like Environment Injector are installed, attackers could gain unauthorized access to external services by manipulating these tokens.
- Affected versions: Up to and including 96.vee8ed882ec4d
- Fixed in version: 111.v29fd614b_3617
- CVE-2025-47889 (CVSS score 9.8) - WSO2 Oauth Plugin - Authentication bypass vulnerability allowing login with any credentials. The WSO2 Oauth Plugin contains an authentication bypass vulnerability where the plugin accepts authentication claims without validation. This allows unauthenticated attackers to log in using any username and password. While these sessions lack group privileges by default, the specific impact depends on the authorization strategy in place. For example, with the "Logged-in users can do anything" strategy, attackers would gain full administrative access to the Jenkins instance.
- Affected versions: Up to and including 1.0
- No fix available
- CVE-2025-47885 (CVSS score 8.8) Health Advisor by CloudBees Plugin - Stored cross-site scripting (XSS) vulnerability
- Affected versions: Up to and including 374.v194b_d4f0c8c8
- Fixed in version: 374.376.v3a_41a_a_142efe
- CVE-2025-47886, CVE-2025-47887 (CVSS score 4.3) - Cadence vManager Plugin - Cross-site request forgery (CSRF) vulnerability and missing permission checks
- Affected versions: Up to and including 4.0.1-286.v9e25a_740b_a_48
- Fixed in version: 4.0.1-288.v8804b_ea_a_cb_7f
- CVE-2025-47888 (CVSS score 5.9) - DingTalk Plugin - SSL/TLS certificate validation unconditionally disabled
- Affected versions: Up to and including 2.7.3
- No fix available
Jenkins administrators should immediately update affected plugins where fixes are available - especially the critical flaws. For plugins without fixes (DingTalk and WSO2 Oauth), consider disabling or removing these plugins and implement additional security controls like network-level isolation or restricted access.
