CVE-2025-47889

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3481

Configurations

No configuration.

History

19 May 2025, 16:15

Type	Values Removed	Values Added
CWE		CWE-287

15 May 2025, 21:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
Summary		(es) Jenkins WSO2 Oauth Plugin 1.0 y versiones anteriores, las solicitudes de autenticación se aceptan sin validación por el ámbito de seguridad "WSO2 Oauth", lo que permite que atacantes no autenticados inicien sesión en los controladores que utilizan este ámbito de seguridad con cualquier nombre de usuario y cualquier contraseña, incluidos nombres de usuario que no existen.

14 May 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-14 21:15

Updated : 2025-05-19 16:15

NVD link : CVE-2025-47889

Mitre link : CVE-2025-47889

CVE.ORG link : CVE-2025-47889

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

9.8 /10