← Back

CVE-2025-47884

nvd nist
Published: May 14, 2025Modified: Jun 12, 2025

JSON object

Loading...
9.1
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
Exploitability: 3.1 / Impact: 5.3
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.

Affected (1)

Jenkins
1 product
Openid Connect Provider
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Openid Connect Provider
Up to 96.vee8ed882ec4d

Related CWEs

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (1)

Source: jenkinsci-cert@googlegroups.com
Vendor Advisory

Timeline

No history available yet.