Incorrect permission check in GitLab Plugin allows enumerating credentials IDs
SECURITY-3260 / CVE-2025-24397
Severity (CVSS): Medium
Affected plugin: gitlab-plugin
Description:
GitLab Plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint.
This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token credentials and Secret text credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credential IDs in GitLab Plugin 1.9.7 requires Overall/Administer permission.
Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL
SECURITY-3434 / CVE-2025-24398
Severity (CVSS): High
Affected plugin: atlassian-bitbucket-server-integration
Description:
An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Bitbucket Server Integration Plugin implements this extension point to support OAuth 1.0 authentication.
In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.
Bitbucket Server Integration Plugin 4.1.4 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the URLs that needs it.
Improper handling of case sensitivity in OpenId Connect Authentication Plugin
SECURITY-3461 / CVE-2025-24399
Severity (CVSS): High
Affected plugin: oic-auth
Description:
OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive.
On a Jenkins instance configured with a case-sensitive OpenID Connect provider, this allows attackers to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.
OpenId Connect Authentication Plugin 4.453.v4d7765c854f4 introduces an advanced configuration option to manage username case sensitivity, with default to case-sensitive.
Upgrading to the fixed version does not modify the default behavior from case-insensitive to case-sensitive. To enable case-sensitivity, this must be explicitly configured in the plugin settings.
Tokens stored in plain text by Zoom Plugin
SECURITY-3292 (1) / CVE-2025-0142
Severity (CVSS): Medium
Affected plugin: zoom
Description:
Zoom Plugin 1.3 and earlier stores Zoom integration tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Zoom Plugin 1.4 stores Zoom integration tokens encrypted once job configurations are saved again.
Tokens displayed without masking by Zoom Plugin
SECURITY-3292 (2) / CVE pending
Severity (CVSS): Low
Affected plugin: zoom
Description:
Zoom Plugin requires Zoom integration tokens for Zoom Build Notifier post-build actions.
In Zoom Plugin 1.5 and earlier the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.
Zoom Plugin 1.6 masks Zoom integration tokens displayed on the job configuration form.
Cache confusion in Eiffel Broadcaster Plugin
SECURITY-3485 / CVE-2025-24400
Severity (CVSS): Medium
Affected plugin: eiffel-broadcaster
Description:
Eiffel Broadcaster Plugin allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential.
Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key. This allows attackers able to create a credential with the same ID as a legitimate one in a different credentials store, to sign an event published to RabbitMQ with the legitimate certificate credentials.
Signing is disabled by default, only instances explicitly configured to enable it are affected.
Eiffel Broadcaster Plugin 2.10.3 removes the cache.
Disabled permissions can be granted by Folder-based Authorization Strategy Plugin
SECURITY-3062 / CVE-2025-24401
Severity (CVSS): Medium
Affected plugin: folder-auth
Description:
Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they’re no longer entitled to.
As of publication of this advisory, there is no fix. Learn why we announce this.
CSRF vulnerability and missing permission checks in Azure Service Fabric Plugin
SECURITY-3094 / CVE-2025-24402 (CSRF), CVE-2025-24403 (missing permission check)
Severity (CVSS): Medium
Affected plugin: service-fabric
Description:
Azure Service Fabric Plugin 1.6 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
Additionally, those HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability, allowing attackers to connect to a previously configured Service Fabric URL using attacker-specified credentials IDs.
As of publication of this advisory, there is no fix. Learn why we announce this.