CVE-2025-47884
📋 TL;DR
This vulnerability in Jenkins OpenID Connect Provider Plugin allows attackers who can configure jobs to craft build ID tokens that impersonate trusted jobs. This could grant unauthorized access to external services relying on these tokens for authentication. Organizations using Jenkins with the affected plugin are at risk.
💻 Affected Systems
- Jenkins OpenID Connect Provider Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to external services that trust Jenkins build ID tokens, potentially leading to data breaches, service compromise, or lateral movement into connected systems.
Likely Case
Unauthorized access to specific external services configured to accept Jenkins build tokens, allowing data exfiltration or unauthorized actions.
If Mitigated
Limited impact if external services validate tokens properly or if job configuration is tightly controlled.
🎯 Exploit Status
Requires job configuration access and specific plugin combinations. No public exploit code known at advisory publication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 96.vee8ed882ec4d or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3574
Restart Required: Yes
Instructions:
1. Update Jenkins OpenID Connect Provider Plugin to version 96.vee8ed882ec4d or later via Jenkins Plugin Manager. 2. Restart Jenkins instance. 3. Verify plugin version in Installed Plugins list.
🔧 Temporary Workarounds
Restrict Job Configuration
allLimit who can configure jobs to trusted administrators only.
Configure Jenkins security matrix to restrict Job/Configure permissions
Disable Plugin
allTemporarily disable OpenID Connect Provider Plugin if not essential.
Navigate to Manage Jenkins > Manage Plugins > Installed tab > Disable OpenID Connect Provider Plugin
🧯 If You Can't Patch
- Implement strict access controls on job configuration permissions
- Audit and monitor external service access using Jenkins build tokens
🔍 How to Verify
Check if Vulnerable:
Check plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab > OpenID Connect Provider Plugin. If version is 96.vee8ed882ec4d or earlier, vulnerable.Check Version:
curl -s http://jenkins-host/pluginManager/installed | grep -A5 'OpenID Connect Provider Plugin'Verify Fix Applied:
Verify plugin version is 96.vee8ed882ec4d or later in Installed Plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual job configuration changes
- Suspicious build token generation patterns
- Failed authentication attempts from unexpected jobs
Network Indicators:
- Unexpected external service connections using Jenkins tokens
- Anomalous traffic to services accepting build tokens
SIEM Query:
source="jenkins.log" AND ("OpenID Connect" OR "build token" OR "SECURITY-3574")