CVE-2025-59474
published 2025-09-17CVE-2025-59474: Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking…
PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.74%
90.7th percentile
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | credentials_plugin | — | — |
| jenkins | jenkins | < 2.516.3 | 2.516.3 |
| jenkins | jenkins | < 2.528 | 2.528 |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send an unauthenticated GET request to /securityRealm/signup (or /jenkins/securityRealm/signup) and inspect the response body for the presence of 'Build Executor Status', 'Estado del ejecutor', or 'id="executors"' — any of these strings in the response body indicates the sidepanel executors widget is exposed without permission check. ↗
- →The vulnerable endpoint is the sidepanel of a page intentionally accessible to users lacking Overall/Read permission; exploitation requires no authentication and no Overall/Read permission. ↗
- →Use Shodan query 'product:"jenkins"' to identify potentially vulnerable internet-facing Jenkins instances for targeted scanning. ↗
- →Fixed in Jenkins 2.528 / LTS 2.516.3, which removes the sidepanel from the affected view. Instances running Jenkins weekly ≤ 2.527 or LTS ≤ 2.516.2 are vulnerable. ↗
- ·The vulnerability only manifests on Jenkins instances where the /securityRealm/signup page is reachable (i.e., user sign-up is enabled or the page is otherwise accessible). Instances with sign-up disabled or the page blocked may not expose the sidepanel executors widget. ↗
- ·Red Hat has deferred the fix for Jenkins in OpenShift Developer Tools and Services; no mitigation meeting Red Hat's criteria is currently available for that package. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jenkins has a missing permission check, allowing users to obtain agent names
ghsa·2025-09-17
CVE-2025-59474 [MEDIUM] CWE-862 Jenkins has a missing permission check, allowing users to obtain agent names
Jenkins has a missing permission check, allowing users to obtain agent names
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission.
This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
Jenkins 2.528, LTS 2.516.3 removes the sidepanel from the affected view.
OSV
Jenkins has a missing permission check, allowing users to obtain agent names
osv·2025-09-17
CVE-2025-59474 [MEDIUM] Jenkins has a missing permission check, allowing users to obtain agent names
Jenkins has a missing permission check, allowing users to obtain agent names
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission.
This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
Jenkins 2.528, LTS 2.516.3 removes the sidepanel from the affected view.
VulnCheck
Jenkins jenkins Missing Authorization
vulncheck·2025·CVSS 5.3
CVE-2025-59474 [MEDIUM] Jenkins jenkins Missing Authorization
Jenkins jenkins Missing Authorization
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
Affected: Jenkins jenkins
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-59474; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-10-27&host_type=src&vulnerability=cve-2025-59474; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability
Red Hat
jenkins: Missing permission check allows obtaining agent names
vendor_redhat·2025-09-17·CVSS 5.3
CVE-2025-59474 [MEDIUM] CWE-862 jenkins: Missing permission check allows obtaining agent names
jenkins: Missing permission check allows obtaining agent names
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
A flaw was found in Jenkins. A missing permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission allows attackers without Overall/Read permission to list agent names via its sidepanel executors widget.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, ap
Jenkins
Jenkins Security Advisory 2025-09-17
vendor_jenkins·2025-09-17·CVSS 7.7
CVE-2025-5115 [HIGH] Jenkins Security Advisory 2025-09-17
Title: Jenkins Security Advisory 2025-09-17
Jenkins Security Advisory 2025-09-17
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Descriptions
HTTP/2 denial of service vulnerability in bundled Jetty
SECURITY-3618
/
CVE-2025-5115
Severity (CVSS):
High
Description:
Jenkins bundles Winstone-Jet
No detection rules found.
Nuclei
Jenkins Sidepanel - Unauthorized Agent/Queue Exposure
nuclei·CVSS 5.3
CVE-2025-59474 [MEDIUM] Jenkins Sidepanel - Unauthorized Agent/Queue Exposure
Jenkins Sidepanel - Unauthorized Agent/Queue Exposure
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
Template:
id: CVE-2025-59474
info:
name: Jenkins Sidepanel - Unauthorized Agent/Queue Exposure
author: ivaldivieso
severity: medium
description: |
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
impact: Att
No writeups or analysis indexed.
2025-09-17
Published
Exploited in the wild