Analysis Summary

CVE-2025-47885 CVSS:8.8

Jenkins Health Advisor by CloudBees Plugin does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses.

CVE-2025-47886 CVSS:4.3

A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin allows attackers to connect to an attacker-specified URL using attacker-specified username and password.

CVE-2025-47887 CVSS:4.3

Missing permission checks in Jenkins Cadence vManager Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

CVE-2025-47889 CVSS:9.8

In Jenkins WSO2 Oauth Plugin, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

Impact

• Cross-Site Scripting
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-47886

• CVE-2025-47885

• CVE-2025-47887

• CVE-2025-47889

Affected Vendors

Remediation

Upgrade to the latest version of Jenkins Plugin, available from the Jenkins Security Advisory.

CVE-2025-47885

CVE-2025-47886

CVE-2025-47887

CVE-2025-47889