CVE-2025-13472
📋 TL;DR
The BlazeMeter Jenkins Plugin before version 4.27 had a missing authorization vulnerability that allowed any user to view sensitive resource lists in dropdown menus. This exposed credential IDs, BlazeMeter workspace names, and project IDs to unauthorized users. Organizations using Jenkins with the vulnerable BlazeMeter plugin are affected.
💻 Affected Systems
- BlazeMeter Jenkins Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate all available credentials and BlazeMeter resources, potentially leading to credential theft, unauthorized access to BlazeMeter projects, and lateral movement within the testing infrastructure.
Likely Case
Unauthorized users can discover sensitive resource identifiers and credential names, enabling reconnaissance for further attacks and exposing organizational testing infrastructure details.
If Mitigated
With proper authorization controls, only authorized users can view resource lists, limiting exposure to legitimate administrators and users with appropriate permissions.
🎯 Exploit Status
Exploitation requires access to Jenkins UI. The vulnerability is information disclosure through UI elements rather than direct code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.27
Vendor Advisory: https://portal.perforce.com/s/cve/a91Qi000002bFgTIAU/missing-authorization-in-blazemeter-jenkins-plugin
Restart Required: Yes
Instructions:
1. Access Jenkins plugin manager. 2. Check for updates to BlazeMeter plugin. 3. Update to version 4.27 or later. 4. Restart Jenkins to apply changes.
🔧 Temporary Workarounds
Restrict Jenkins Access
allLimit Jenkins UI access to authorized users only through network controls and authentication.
Remove Vulnerable Plugin
allTemporarily remove BlazeMeter plugin if not essential for operations.
Manage Jenkins > Plugin Manager > Installed > BlazeMeter > Uninstall
🧯 If You Can't Patch
- Implement strict access controls to Jenkins UI, allowing only authorized administrators
- Monitor Jenkins access logs for unauthorized attempts to access BlazeMeter plugin pages
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for BlazeMeter plugin version. If version is below 4.27, the system is vulnerable.Check Version:
Manage Jenkins > Plugin Manager > Installed > Search 'BlazeMeter'Verify Fix Applied:
After updating to 4.27, verify that only users with appropriate permissions can see BlazeMeter resource dropdowns in the Jenkins UI.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to BlazeMeter plugin pages
- Multiple requests to BlazeMeter API endpoints from unprivileged users
Network Indicators:
- Unusual traffic patterns to Jenkins UI from unauthorized IPs
SIEM Query:
source="jenkins.log" AND ("BlazeMeter" OR "bzm") AND user!="admin"