2025-01-30 14:48:39 Pacfic
Multiple Vulnerabilities Discovered in Jenkins Plugins - 7d
Multiple vulnerabilities have been identified across several Jenkins plugins, posing significant security risks. These flaws include Cross-Site Request Forgery (CSRF) vulnerabilities, permission bypass issues, and the exposure of sensitive credentials. Plugins affected by these problems are the Azure Service Fabric Plugin, Bitbucket Server Integration Plugin, OpenID Connect Authentication Plugin, GitLab Plugin, Eiffel Broadcaster, and Zoom plugin. These security weaknesses, which have been assigned various CVE identifiers, could potentially allow malicious actors to gain unauthorized access to Jenkins environments, escalate privileges, and exfiltrate sensitive data.
Specific vulnerabilities include CVE-2025-24398, a high severity issue in the Bitbucket Server Integration Plugin allowing attackers to bypass CSRF protection, and CVE-2025-24399, another high severity issue in OpenID Connect Authentication Plugin that mishandles case sensitivity, potentially allowing unauthorized access. There are also medium severity issues such as CVE-2025-24397 in the GitLab plugin that incorrectly allows enumeration of credential IDs, and plain text token storage and display in the Zoom plugin, and cache confusion in the Eiffel Broadcaster Plugin. The Jenkins Security Advisory 2025-01-22 has highlighted these vulnerabilities, but no fixes are available as of yet for three of these issues.
ImgSrc: i0.wp.com
References:
- @screaminggoat - CVE-2025-24397 (4.3 medium) Incorrect permission check in GitLab Plugin allows enumerating credentials IDs CVE-2025-24398 (8.8 high) Bitbucket Server Integration Plugin allows bypassing CSRF protectio - 7d
- www.jenkins.io - CVE-2025-24397 (4.3 medium) Incorrect permission check in GitLab Plugin allows enumerating credentials IDs CVE-2025-24398 (8.8 high) Bitbucket Server Integration Plugin allows bypassing CSRF protectio - 7d
- www.heise.de - Vulnerabilities in Jenkins plug-ins jeopardize development environments - 5d
- @heiseonlineenglish - Vulnerabilities in Jenkins plug-ins jeopardize development environments Current versions of several Jenkins plug-ins close several security gaps. - 4d
Classification:
- HashTags: Jenkins Vulnerability Cybersecurity
- Company: Jenkins
- Target: Jenkins Users
- Product: Jenkins Plugins
- Feature: Plugin Vulnerability
- Type: Vulnerability
- Severity: Critical