CVE-2025-24402

Vulnerability

Details

A cross-site request forgery (CSRF) vulnerability exists in Jenkins Azure Service Fabric Plugin version 1.6 and earlier [1]. The plugin fails to properly validate CSRF tokens on an endpoint that allows connecting to a Service Fabric URL. This allows an attacker to perform actions on behalf of an authenticated user without their consent.

Exploitation

To exploit this vulnerability, an attacker must first obtain valid credential IDs (e.g., via another vulnerability like CVE-2025-24397 that enumerates credentials) [1]. Then, the attacker can craft a malicious link or webpage that, when clicked by an authenticated Jenkins user, triggers a request to the plugin's vulnerable endpoint. The request uses the attacker-specified credential IDs to connect to a Service Fabric URL.

Impact

If successful, the attacker can connect to a Service Fabric cluster using the stolen credentials, potentially gaining unauthorized access to the cluster and allowing further attacks or data exfiltration. The impact depends on the permissions associated with the compromised credentials.

Mitigation

The Jenkins Security Advisory recommends upgrading the Azure Service Fabric Plugin to a version that includes a fix [1]. As of this writing, no workaround is documented; users should also address the underlying credential enumeration issue by updating other affected plugins.