CVE-2025-47884

Published May 14, 2025

Last updated 15 days ago

CVSS critical 9.1

Overview

Description
In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.
Source
jenkinsci-cert@googlegroups.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.3
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-284

Social media

Hype score
Not currently trending

  1. CVE-2025-47884, -885, -889: Multiple vulns in Jenkins, 8.8 - 9.8 rating 🔥 Three vulns in Jenkins that were recently disclosed: Improper Access Control, XSS, Auth Bypass. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/dXbP5zsWx8 #cybersecurity #vulnerability_map

    @Netlas_io

    17 May 2025

    759 Impressions

    6 Retweets

    13 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-47884, -885, -889: Multiple vulns s in Jenkins, 8.8 - 9.8 rating 🔥 Three vulns in Jenkins that were recently disclosed: Improper Access Control, XSS, Auth Bypass. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/dXbP5zsWx8 #cybersecurity #vulnerability_ma

    @Netlas_io

    17 May 2025

    36 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚡️The vulnerability details are now available: https://t.co/TBdJTFdQ03 🚨🚨Jenkins Plugin Flaws Expose Critical Risks CVE-2025-47889: Authentication Bypass in WSO2 Oauth Plugin (CVSS 9.8) CVE-2025-47884: Build Token Impersonation via OpenID Connect Provider Plugin (CVSS

    @zoomeye_team

    16 May 2025

    692 Impressions

    4 Retweets

    7 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-47884 In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, … https://t.co/Dx0GnJMyMB

    @CVEnew

    14 May 2025

    190 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.