CVE-2025-47889 – The Jenkins WSO2 Oauth Plugin 1.0 and earlier c... (How to Fix)

Q: What is the severity of CVE-2025-47889?

CVE-2025-47889 has a CVSS score of 9.8 (CRITICAL). The Jenkins WSO2 Oauth Plugin 1.0 and earlier contains an authentication bypass vulnerability where the plugin accepts authentication claims without validation. This allows unauthenticated attackers to log into Jenkins controllers using any username and password combination, including non-existent usernames. Organizations using this plugin for authentication are affected.

📋 TL;DR

The Jenkins WSO2 Oauth Plugin 1.0 and earlier contains an authentication bypass vulnerability where the plugin accepts authentication claims without validation. This allows unauthenticated attackers to log into Jenkins controllers using any username and password combination, including non-existent usernames. Organizations using this plugin for authentication are affected.

💻 Affected Systems

Products:

Jenkins WSO2 Oauth Plugin

Versions: 1.0 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances using the WSO2 Oauth security realm for authentication.

📦 What is this software?

Wso2 Oauth by Jenkins

View all CVEs affecting Wso2 Oauth →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller with administrative access, allowing code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized access to Jenkins jobs, sensitive credentials, and build artifacts, potentially leading to supply chain attacks.

🟢

If Mitigated

Limited impact if Jenkins is isolated, uses additional authentication layers, or has strict network controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires no authentication and minimal technical skill - simply sending any username/password to the affected endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3481

Restart Required: Yes

Instructions:

1. Access Jenkins Update Center. 2. Update WSO2 Oauth Plugin to version 1.1 or later. 3. Restart Jenkins service.

🔧 Temporary Workarounds

Disable WSO2 Oauth Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

java -jar jenkins-cli.jar -s http://jenkins-url/ disable-plugin wso2-oauth

Switch Authentication Realm

all

Change to a different authentication method in Jenkins security configuration

🧯 If You Can't Patch

Network isolate Jenkins instance and restrict access to trusted IPs only
Implement web application firewall rules to block authentication bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for WSO2 Oauth Plugin version 1.0 or earlier

Check Version:

java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep wso2-oauth

Verify Fix Applied:

Verify plugin version is 1.1 or later in Jenkins plugin manager

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with non-existent usernames succeeding
Multiple successful logins from unexpected IPs

Network Indicators:

HTTP POST requests to /securityRealm/finishLogin with arbitrary credentials

SIEM Query:

source="jenkins.log" AND "WSO2 Oauth" AND "authenticated" AND NOT "validated"

📊 Metadata

CVE ID: CVE-2025-47889

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

EPSS Score: 0.12% exploit probability (31.2th percentile)

Published: May 14, 2025

Last Updated: June 12, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3481 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47889, you might also want to check these: