July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Oracle Products Vulnerabilities
January 27, 2025SmokeLoader Malware – Active IOCs
January 27, 2025Multiple Oracle Products Vulnerabilities
January 27, 2025SmokeLoader Malware – Active IOCs
January 27, 2025
Severity
Medium
Analysis Summary
CVE-2025-24403 CVSS:4.3
A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins.
CVE-2025-24402 CVSS:4.3
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method.
CVE-2025-24401 CVSS:6.8
Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.
CVE-2025-24400 CVSS:4.3
Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.
CVE-2025-24399 CVSS:8.8
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.
CVE-2025-24398 CVSS:8.8
Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
CVE-2025-24397 CVSS:4.3
An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins.
Impact
- Gain Access
- Security Bypass
- Information Disclosure
Indicators of Compromise
CVE
CVE-2025-24403
CVE-2025-24402
CVE-2025-24401
CVE-2025-24400
CVE-2025-24399
CVE-2025-24398
CVE-2025-24397
Affected Vendors
Jenkins
Affected Products
- Jenkins Azure Service Fabric Plugin 1.6
- Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e
- Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2
- Jenkins OpenId Connect Authentication Plugin - 4.452.v2849b_d3945fa_
- Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3
- Jenkins GitLab Plugin 1.9.6
Remediation
Upgrade to the latest version of Jenkins Plugin, available from the Jenkins Security Advisory.