CVE-2025-58459
📋 TL;DR
The Jenkins global-build-stats plugin has a missing authorization vulnerability in its REST API endpoints. Attackers with Overall/Read permission can enumerate graph IDs, potentially exposing internal build statistics. This affects Jenkins instances using vulnerable versions of the global-build-stats plugin.
💻 Affected Systems
- Jenkins global-build-stats Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map internal Jenkins infrastructure, identify sensitive build patterns, and use this information for further attacks or reconnaissance.
Likely Case
Unauthorized users with read access can discover graph IDs and potentially infer information about build processes and project structures.
If Mitigated
With proper permission controls and network segmentation, impact is limited to information disclosure about graph identifiers.
🎯 Exploit Status
Exploitation requires authenticated access with Overall/Read permission. Attack involves calling vulnerable REST endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 322.v22f4db_18e2dd
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-09-03/#SECURITY-3535
Restart Required: No
Instructions:
1. Update Jenkins global-build-stats plugin to latest version. 2. Go to Manage Jenkins > Plugin Manager. 3. Check for updates and install the latest global-build-stats plugin. 4. No Jenkins restart required for plugin updates.
🔧 Temporary Workarounds
Restrict Overall/Read Permissions
allLimit Overall/Read permissions to trusted users only to reduce attack surface.
Disable Global Build Stats Plugin
allTemporarily disable the plugin if not essential for operations.
🧯 If You Can't Patch
- Implement strict network access controls to limit Jenkins access to trusted networks only.
- Review and minimize user accounts with Overall/Read permissions to essential personnel only.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for global-build-stats plugin version. If version is 322.v22f4db_18e2dd or earlier, the system is vulnerable.Check Version:
Navigate to Manage Jenkins > Plugin Manager and check global-build-stats plugin version.Verify Fix Applied:
Verify global-build-stats plugin version is newer than 322.v22f4db_18e2dd in plugin manager.📡 Detection & Monitoring
Log Indicators:
- Unusual REST API calls to global-build-stats endpoints from users with only read permissions
- Multiple graph ID enumeration attempts
Network Indicators:
- HTTP requests to /global-build-stats/rest/ endpoints from unauthorized sources
SIEM Query:
source="jenkins.log" AND (uri_path="/global-build-stats/rest/" OR plugin="global-build-stats") AND user_permission="read" AND action="GET"