CVE-2025-47889 — Improper Authentication in Jenkins Wso2 Oauth

CWE-287 — Improper Authentication CWE-1390 — Weak Authentication5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 72.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Wso2 Oauth Jenkins Project Jenkins Wso2 Oauth Plugin

Timeline

PublishedMay 14

Description

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_wso2_oauth_plugin1.0

▶NVDjenkins/wso2_oauth1.0

🔴Vulnerability Details

GHSA

Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials↗2025-05-14

▶

OSV

Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials↗2025-05-14

▶

CVEList

CVE-2025-47889: In Jenkins WSO2 Oauth Plugin 1↗2025-05-14

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2025-05-14↗2025-05-14

▶