The Jenkins project has recently released a critical security advisory detailing multiple vulnerabilities across several widely used plugins, including Cadence vManager, DingTalk, Health Advisor by CloudBees, OpenID Connect Provider, and WSO2 Oauth. These vulnerabilities, ranging from medium to critical severity, pose significant risks to Continuous Integration and Continuous Deployment (CI/CD) environments by potentially allowing attackers to bypass authentication mechanisms, execute malicious code, or gain unauthorized access to sensitive systems. Jenkins administrators are strongly urged to take immediate action to mitigate these risks.
Critical Vulnerabilities Identified
The advisory highlights two particularly severe vulnerabilities with Common Vulnerability Scoring System (CVSS) scores of 9.1 and 9.8, indicating a high level of risk to Jenkins environments:
1. OpenID Connect Provider Plugin (CVE-2025-47884, CVSS: 9.1): In versions 96.vee8ed882ec4d and earlier, a flaw allows attackers to manipulate build ID tokens by overriding environment variables. This manipulation can be achieved through plugins like Environment Injector, enabling attackers to impersonate trusted jobs and potentially access external services. The issue has been addressed in version 111.v29fd614b_3617, which now ignores overridden environment variables to prevent such exploits.
2. WSO2 Oauth Plugin (CVE-2025-47889, CVSS: 9.8): Versions 1.0 and earlier fail to validate authentication claims properly, allowing unauthenticated attackers to log in with any username and password. Depending on the authorization strategy in place, this could grant attackers full administrative access. Notably, no fix is currently available for this vulnerability, leaving systems that use this plugin exposed to potential attacks.
Additional High and Medium Severity Vulnerabilities
Beyond the critical issues, the advisory also details several other vulnerabilities of high and medium severity:
– Health Advisor by CloudBees Plugin (CVE-2025-47885, CVSS: High): Versions 374.v194b_d4f0c8c8 and earlier are susceptible to stored cross-site scripting (XSS) due to unescaped server responses. An attacker controlling the Jenkins Health Advisor server could exploit this to inject malicious scripts. The vulnerability has been resolved in version 374.376.v3a_41a_a_142efe, which escapes server responses to prevent XSS attacks.
– Cadence vManager Plugin (CVE-2025-47886, CVE-2025-47887, CVSS: Medium): Versions 4.0.1-286.v9e25a_740b_a_48 and earlier lack proper permission checks and are vulnerable to cross-site request forgery (CSRF). Attackers with Overall/Read permission could connect to malicious URLs using attacker-specified credentials. Version 4.0.1-288.v8804b_ea_a_cb_7f addresses these issues by enforcing stricter permissions and requiring POST requests for certain actions.
– DingTalk Plugin (CVE-2025-47888, CVSS: Medium): Versions 2.7.3 and earlier disable SSL/TLS certificate and hostname validation for webhook connections, increasing the risk of man-in-the-middle attacks. As of now, no fix is available for this vulnerability, leaving users of this plugin particularly vulnerable.
Affected Versions and Recommended Actions
The vulnerabilities affect the following plugin versions:
– Cadence vManager Plugin: Up to 4.0.1-286.v9e25a_740b_a_48
– DingTalk Plugin: Up to 2.7.3
– Health Advisor by CloudBees Plugin: Up to 374.v194b_d4f0c8c8
– OpenID Connect Provider Plugin: Up to 96.vee8ed882ec4d
– WSO2 Oauth Plugin: Up to 1.0
Administrators are urged to update to the patched versions immediately:
– Cadence vManager Plugin: Update to version 4.0.1-288.v8804b_ea_a_cb_7f
– Health Advisor by CloudBees Plugin: Update to version 374.376.v3a_41a_a_142efe
– OpenID Connect Provider Plugin: Update to version 111.v29fd614b_3617
For the DingTalk and WSO2 Oauth plugins, no fixes are currently available. The Jenkins project has not provided updates for these plugins, citing their unmaintained status or other constraints. Users of these plugins may need to disable them or implement compensating controls, such as network-level security measures or restricted access policies, to mitigate potential risks.
Implications for CI/CD Environments
These vulnerabilities underscore the critical importance of maintaining and securing Jenkins plugins, which are integral components of CI/CD pipelines. Unmaintained or poorly configured plugins can introduce significant security risks, potentially compromising the entire development and deployment process. The WSO2 Oauth flaw, in particular, highlights the dangers of inadequate authentication validation, which can lead to unauthorized access and control over Jenkins environments.
Recommendations for Jenkins Administrators
To safeguard CI/CD pipelines and maintain the integrity of development environments, Jenkins administrators should:
1. Regularly Update Plugins: Ensure that all Jenkins plugins are up to date with the latest security patches. Regularly check for updates and apply them promptly to mitigate known vulnerabilities.
2. Audit Plugin Usage: Review all installed plugins to identify any that are unmaintained or no longer necessary. Remove or replace such plugins to reduce the attack surface.
3. Implement Access Controls: Enforce strict access controls and permissions within Jenkins to limit the potential impact of compromised accounts or exploited vulnerabilities.
4. Monitor for Suspicious Activity: Continuously monitor Jenkins logs and activities for signs of unauthorized access or unusual behavior, which may indicate exploitation attempts.
5. Educate Development Teams: Provide training and resources to development teams on secure coding practices and the importance of maintaining a secure CI/CD environment.
By proactively addressing these vulnerabilities and implementing robust security measures, organizations can protect their CI/CD pipelines from potential attacks and ensure the safe and efficient delivery of software products.
