cbcvebase.
CVE-2025-47889
published 2025-05-14

CVE-2025-47889: In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing…

critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

Affected

10 ranges
VendorProductVersion rangeFixed in
jenkinscadence_vmanager_plugin
jenkinsdingtalk_plugin
jenkinsenvironment_injector_plugin
jenkinshealth_advisor_by_cloudbees_plugin
jenkinsmatrix_authorization_strategy_plugin
jenkinsopenid_connect_provider_plugin
jenkinsrole-based_authorization_strategy_plugin
jenkinswso2_oauth<= 1.0
jenkinswso2_oauth_plugin
jenkins_projectjenkins_wso2_oauth_plugin