Request a Demo
Rewterz
Multiple Oracle Products Vulnerabilities
January 27, 2025
Rewterz
SmokeLoader Malware – Active IOCs
January 27, 2025

Multiple Jenkins Plugins Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2025-24403 CVSS:4.3

A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins.

CVE-2025-24402 CVSS:4.3

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method.

CVE-2025-24401 CVSS:6.8

Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.

CVE-2025-24400 CVSS:4.3

Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.

CVE-2025-24399 CVSS:8.8

Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.

CVE-2025-24398 CVSS:8.8

Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

CVE-2025-24397 CVSS:4.3

An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins.

Impact

  • Gain Access
  • Security Bypass
  • Information Disclosure

Indicators of Compromise

CVE

  • CVE-2025-24403

  • CVE-2025-24402

  • CVE-2025-24401

  • CVE-2025-24400

  • CVE-2025-24399

  • CVE-2025-24398

  • CVE-2025-24397

Affected Vendors

Jenkins

Affected Products

  • Jenkins Azure Service Fabric Plugin 1.6
  • Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e
  • Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2
  • Jenkins OpenId Connect Authentication Plugin - 4.452.v2849b_d3945fa_
  • Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3
  • Jenkins GitLab Plugin 1.9.6

Remediation

Upgrade to the latest version of Jenkins Plugin, available from the Jenkins Security Advisory.

CVE-2025-24403

CVE-2025-24402

CVE-2025-24401

CVE-2025-24400

CVE-2025-24399

CVE-2025-24398

CVE-2025-24397