The Jenkins project has issued a critical security advisory detailing vulnerabilities in five widely used plugins: Cadence vManager, DingTalk, Health Advisor by CloudBees, OpenID Connect Provider, and WSO2 Oauth. OpenID Connect Provider Plugin (CVE-2025-47884, CVSS: 9.1): A flaw in versions 96.vee8ed882ec4d and earlier allows attackers to manipulate build ID tokens by overriding environment variables, such as those enabled by plugins like Environment Injector. The WSO2 Oauth flaw, in particular, highlights the dangers of lax authentication in security realms, while the OpenID Connect issue exposes the pitfalls of environment variable overrides in complex CI/CD setups. WSO2 Oauth Plugin (CVE-2025-47889, CVSS: 9.8): Versions 1.0 and earlier fail to validate authentication claims, allowing unauthenticated attackers to log in with any username and password. Update Affected Plugins: Apply the latest patches for Cadence vManager, Health Advisor by CloudBees, and OpenID Connect Provider plugins. Health Advisor by CloudBees Plugin (CVE-2025-47885, CVSS: High): Versions 374.v194b_d4f0c8c8 and earlier are susceptible to stored cross-site scripting (XSS) due to unescaped server responses. Cadence vManager Plugin (CVE-2025-47886, CVE-2025-47887, CVSS: Medium): Versions 4.0.1-286.v9e25a_740b_a_48 and earlier lack permission checks and are vulnerable to cross-site request forgery (CSRF). For DingTalk and WSO2 Oauth plugins, the Jenkins project has not provided fixes, citing their unmaintained status or other constraints.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 16 May 2025 06:49:54 +0000