CVE-2025-58460 – The Jenkins OpenTelemetry Plugin vulnerability ... (How to Fix)

Q: What is the severity of CVE-2025-58460?

CVE-2025-58460 has a CVSS score of 4.2 (MEDIUM). The Jenkins OpenTelemetry Plugin vulnerability allows attackers with Overall/Read permission to exfiltrate Jenkins credentials by connecting to attacker-controlled URLs. This affects Jenkins instances using vulnerable plugin versions, potentially exposing stored credentials to unauthorized users.

📋 TL;DR

The Jenkins OpenTelemetry Plugin vulnerability allows attackers with Overall/Read permission to exfiltrate Jenkins credentials by connecting to attacker-controlled URLs. This affects Jenkins instances using vulnerable plugin versions, potentially exposing stored credentials to unauthorized users.

💻 Affected Systems

Products:

Jenkins OpenTelemetry Plugin

Versions: 3.1543.v8446b_92b_cd64 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jenkins with OpenTelemetry Plugin installed and users with Overall/Read permission.

📦 What is this software?

Opentelemetry by Jenkins

View all CVEs affecting Opentelemetry →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal all Jenkins credentials, leading to complete system compromise, lateral movement, and data exfiltration.

🟠

Likely Case

Attackers capture specific credentials they target, potentially gaining access to downstream systems or sensitive data.

🟢

If Mitigated

Limited credential exposure if proper access controls and network segmentation are in place.

🌐 Internet-Facing: MEDIUM - Requires attacker to have Overall/Read permission, but internet exposure increases attack surface.

🏢 Internal Only: MEDIUM - Internal attackers with appropriate permissions can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to have Overall/Read permission and obtain credentials IDs through other means.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenTelemetry Plugin 3.1544.v8446b_92b_cd65 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-09-03/#SECURITY-3602

Restart Required: No

Instructions:

1. Navigate to Jenkins Manage Jenkins > Manage Plugins. 2. Update OpenTelemetry Plugin to version 3.1544.v8446b_92b_cd65 or later. 3. No restart required.

🔧 Temporary Workarounds

Restrict Overall/Read Permissions

all

Limit Overall/Read permission to trusted users only to reduce attack surface.

Disable OpenTelemetry Plugin

all

Temporarily disable the plugin if not essential for operations.

🧯 If You Can't Patch

Implement strict access controls to limit Overall/Read permission to essential users only.
Monitor for unusual outbound connections from Jenkins to external URLs.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for OpenTelemetry Plugin version. If version is 3.1543.v8446b_92b_cd64 or earlier, system is vulnerable.

Check Version:

Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab, search for OpenTelemetry Plugin.

Verify Fix Applied:

Verify OpenTelemetry Plugin version is 3.1544.v8446b_92b_cd65 or later in Jenkins plugin manager.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from Jenkins to external domains
Failed authentication attempts for credential access

Network Indicators:

Outbound connections from Jenkins to unfamiliar domains on standard HTTP/HTTPS ports

SIEM Query:

source="jenkins.log" AND ("OpenTelemetry" OR "outbound" OR "credential") AND ("error" OR "failed" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2025-58460

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-862

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: September 3, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58460, you might also want to check these: