Token Impersonation Vulnerability in Jenkins OpenID Connect Provider Plugin
CVE-2025-47884

9.1CRITICAL

Key Information:

Vendor: Jenkins
Status: Jenkins Openid Connect Provider Plugin
Vendor: CVE Published:; 14 May 2025

What is CVE-2025-47884?

The Jenkins OpenID Connect Provider Plugin has a vulnerability where the generation of build ID Tokens could use overridden values from environment variables. If exploited, attackers with job configuration privileges can craft tokens that impersonate trusted jobs, leading to unauthorized access to external services. This issue underscores the importance of secure token generation practices to prevent potential data breaches.

Affected Version(s)

Jenkins OpenID Connect Provider Plugin 0 <= 96.vee8ed882ec4d

References

https://www.jenkins.io/security/advisory/2025-05-14/#SECU...

vendor-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2025
Vulnerability Reserved
May 13, 2025