On May 14, 2025, Jenkins published a security advisory highlighting multiple vulnerabilities in various Jenkins plugins. These vulnerabilities, if exploited, could lead to unauthorized access, privilege escalation, and other security risks. The affected plugins include the Cadence vManager, DingTalk, Health Advisor by CloudBees, OpenID Connect Provider, and WSO2 Oauth Plugins.

Vulnerabilities Detailed:

1. Insufficient Validation in OpenID Connect Provider Plugin (SECURITY-3574 / CVE-2025-47884)
2. Severity: Critical
3. Details: The OpenID Connect Provider Plugin fails to properly validate claims in build ID tokens, allowing attackers to craft tokens that impersonate trusted jobs if they can control job configurations. This could grant unauthorized access to external services.
4. Affected Version: Up to 96.vee8ed882ec4d

5. Fix: Update to version 111.v29fd614b_3617

6. Stored XSS in Health Advisor by CloudBees Plugin (SECURITY-3559 / CVE-2025-47885)

7. Severity: High
8. Details: The plugin does not escape responses from the Jenkins Health Advisor server, leading to a stored cross-site scripting vulnerability.
9. Affected Version: Up to 374.v194b_d4f0c8c8

10. Fix: Update to version 374.376.v3a_41a_a_142efe

11. CSRF and Missing Permission Checks in Cadence vManager Plugin (SECURITY-3548 / CVE-2025-47886, CVE-2025-47887)

12. Severity: Medium
13. Details: The plugin lacks proper permission checks and allows cross-site request forgery, which could let attackers connect to malicious URLs.
14. Affected Version: Up to 4.0.1-286.v9e25a_740b_a_48

15. Fix: Update to version 4.0.1-288.v8804b_ea_a_cb_7f

16. SSL/TLS Validation Disabled in DingTalk Plugin (SECURITY-3353 / CVE-2025-47888)

17. Severity: Medium
18. Details: The plugin disables SSL/TLS certificate validation, making it vulnerable to man-in-the-middle attacks.
19. Affected Version: Up to 2.7.3

20. Fix: No fix available as of the advisory's publication.

21. Authentication Bypass in WSO2 Oauth Plugin (SECURITY-3481 / CVE-2025-47889)

22. Severity: Critical
23. Details: The plugin accepts authentication claims without validation, allowing unauthenticated login using any username and password.
24. Affected Version: Up to 1.0
25. Fix: No fix available as of the advisory's publication.

Exploitation in the Wild: There have been no specific reports or indicators of compromise (IOCs) suggesting that these vulnerabilities have been actively exploited in the wild. However, the critical nature of some vulnerabilities underscores the need for immediate attention.

References: - Jenkins Security Advisory: Jenkins Advisory 2025-05-14 - CVE Details: CVE-2025-47884, CVE-2025-47885, CVE-2025-47886, CVE-2025-47887, CVE-2025-47888, CVE-2025-47889

Acknowledgments: - Daniel Beck, CloudBees, Inc. for SECURITY-3559 - Jesse Glick, CloudBees, Inc. for SECURITY-3574 - Kevin Guerroudj, CloudBees, Inc. for SECURITY-3481 - Pierre Beitz, CloudBees, Inc. for SECURITY-3353 - Vincent Lardet for SECURITY-3548

Recommendations: Administrators are advised to update affected plugins to the latest secure versions immediately. For plugins without available fixes, consider temporarily disabling the plugin or implementing compensating controls until a patch is available.

This report provides an in-depth analysis of the vulnerabilities disclosed in the Jenkins Security Advisory dated May 14, 2025, along with actionable recommendations for mitigation.

Executive Summary

On May 14, 2025, Jenkins issued a critical security advisory detailing vulnerabilities found in several of its plugins, notably Cadence vManager, DingTalk, Health Advisor by CloudBees, OpenID Connect Provider, and WSO2 Oauth. These vulnerabilities, if exploited, could result in unauthorized access and privilege escalation, posing significant risks to system security and data integrity. The vulnerabilities range from insufficient validation and stored cross-site scripting to authentication bypasses and disabled security checks. Immediate attention and action are required for affected users to mitigate potential exploitation.

Technical Information

The OpenID Connect Provider Plugin has been flagged for a critical vulnerability (CVE-2025-47884) due to its improper validation of claims within build ID tokens. Attackers could potentially craft tokens that impersonate trusted jobs by manipulating job configurations, leading to unauthorized access to external services. The affected versions are up to 96.vee8ed882ec4d, with a fix available in version 111.v29fd614b_3617.

The Health Advisor by CloudBees Plugin suffers from a high-severity stored XSS vulnerability (CVE-2025-47885), where responses from the Jenkins Health Advisor server are not escaped, allowing for malicious script injection. The vulnerability affects versions up to 374.v194b_d4f0c8c8, resolved in version 374.376.v3a_41a_a_142efe.

Cadence vManager Plugin is affected by medium-severity issues including CSRF and missing permission checks (CVE-2025-47886 and CVE-2025-47887). These vulnerabilities allow users with Overall/Read permissions to connect to arbitrary URLs without proper validation. The fix is provided in version 4.0.1-288.v8804b_ea_a_cb_7f.

The DingTalk Plugin poses a medium risk due to its unconditional disabling of SSL/TLS certificate validation (CVE-2025-47888), exposing it to man-in-the-middle attacks. No fix is available as of this advisory.

A critical authentication bypass vulnerability (CVE-2025-47889) exists in the WSO2 Oauth Plugin, where authentication claims are accepted without validation. This flaw allows unauthenticated attackers to log in using any credentials, affecting versions up to 1.0, with no immediate fix available.

Exploitation in the Wild

Currently, there have been no confirmed reports of these vulnerabilities being exploited in the wild. Nonetheless, the potential impact of such exploitation necessitates swift action to patch or mitigate these vulnerabilities to prevent unauthorized access and data breaches.

APT Groups using this vulnerability

There are no specific APT groups reported to be exploiting these vulnerabilities at present. However, given the nature of these vulnerabilities, they could be attractive targets for APT groups seeking to infiltrate systems using Jenkins for CI/CD processes.

Affected Product Versions

The affected product versions include:

• OpenID Connect Provider Plugin up to version 96.vee8ed882ec4d.
• Health Advisor by CloudBees Plugin up to version 374.v194b_d4f0c8c8.
• Cadence vManager Plugin up to version 4.0.1-286.v9e25a_740b_a_48.
• DingTalk Plugin up to version 2.7.3.
• WSO2 Oauth Plugin up to version 1.0.

Mitigation or Workarounds

Administrators are advised to immediately upgrade affected plugins to the latest secure versions. For plugins for which no fix is available, such as DingTalk and WSO2 Oauth, disabling the plugins or implementing strict network access controls can help mitigate risks. Monitoring and logging should be enhanced to detect any unauthorized attempts to exploit these vulnerabilities.

References

For further information, please refer to the following resources:

• Jenkins Security Advisory: https://www.jenkins.io/security/advisory/2025-05-14/
• CVE Details: CVE-2025-47884 https://nvd.nist.gov/vuln/detail/CVE-2025-47884, CVE-2025-47885 https://nvd.nist.gov/vuln/detail/CVE-2025-47885, CVE-2025-47886 https://nvd.nist.gov/vuln/detail/CVE-2025-47886, CVE-2025-47887 https://nvd.nist.gov/vuln/detail/CVE-2025-47887, CVE-2025-47888 https://nvd.nist.gov/vuln/detail/CVE-2025-47888, CVE-2025-47889 https://nvd.nist.gov/vuln/detail/CVE-2025-47889

Nox90 is here for you

Nox90 is committed to supporting our clients through the complexities of application security and the secure software development life cycle (SSDLC). Should you have any questions regarding this advisory or require assistance with security implementations, please contact us at info@nox90.com. Our expert team is ready to help safeguard your systems and ensure robust security practices are in place.