cbcvebase.
CVE-2025-59474
published 2025-09-17

CVE-2025-59474: Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking…

PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.74%
90.7th percentile
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.

Affected

6 ranges
VendorProductVersion rangeFixed in
jenkinscredentials_plugin
jenkinsjenkins< 2.516.32.516.3
jenkinsjenkins< 2.5282.528
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_weekly

Detection & IOCsextracted from sources · hover to see the quote

url/securityRealm/signup
path/securityRealm/signup
path/jenkins/securityRealm/signup
  • Send an unauthenticated GET request to /securityRealm/signup (or /jenkins/securityRealm/signup) and inspect the response body for the presence of 'Build Executor Status', 'Estado del ejecutor', or 'id="executors"' — any of these strings in the response body indicates the sidepanel executors widget is exposed without permission check.
  • The vulnerable endpoint is the sidepanel of a page intentionally accessible to users lacking Overall/Read permission; exploitation requires no authentication and no Overall/Read permission.
  • Use Shodan query 'product:"jenkins"' to identify potentially vulnerable internet-facing Jenkins instances for targeted scanning.
  • Fixed in Jenkins 2.528 / LTS 2.516.3, which removes the sidepanel from the affected view. Instances running Jenkins weekly ≤ 2.527 or LTS ≤ 2.516.2 are vulnerable.
  • ·The vulnerability only manifests on Jenkins instances where the /securityRealm/signup page is reachable (i.e., user sign-up is enabled or the page is otherwise accessible). Instances with sign-up disabled or the page blocked may not expose the sidepanel executors widget.
  • ·Red Hat has deferred the fix for Jenkins in OpenShift Developer Tools and Services; no mitigation meeting Red Hat's criteria is currently available for that package.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.