CVE-2025-64132

Published Oct 29, 2025

Last updated 5 days ago

Jenkins MCP Server Plugin

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-64132 affects the Jenkins MCP Server Plugin. Versions 0.84.v50ca_24ef83f2 and earlier do not perform permission checks in multiple MCP tools. This allows attackers to trigger builds and obtain information about job and cloud configurations that they should not have access to. Specifically, an attacker with Item/Read permission can access SCM information without Item/Extended Read permission and trigger new builds without Item/Build permission. Furthermore, attackers without Overall/Read permission can retrieve cloud configuration names. To mitigate this vulnerability, users are advised to update to MCP Server Plugin version 0.86.v7d3355e6aa18, which implements the proper permission checks for the affected MCP tools.

Description: Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they should not be able to access.
Source: jenkinsci-cert@googlegroups.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 5.4
Impact score: 2.5
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-862

Hype score: Not currently trending

References