CVE-2025-24403

Vulnerability

CVE-2025-24403 describes a missing permission check in the Jenkins Azure Service Fabric Plugin versions 1.6 and earlier. The plugin fails to properly verify permissions when handling certain HTTP endpoints, allowing users with only Overall/Read permission to interact with credential-related functionality that should require higher privileges [1].

Exploitation

An attacker who already has Overall/Read access to a Jenkins instance can exploit this flaw by sending crafted requests to the plugin's affected endpoints. No further authentication or specialized access is needed; the missing check permits enumeration of credential IDs [1]. The plugin's source code repository shows how credentials are referenced in pipeline steps, confirming the attack surface [2].

Impact

Successful exploitation allows the attacker to enumerate the IDs of all Azure credentials stored in Jenkins. While the credentials themselves are not directly exposed, having the IDs can facilitate subsequent attacks, such as using another vulnerability to capture the actual credential secrets [1]. This increases the risk of credential theft and unauthorized access to Azure resources.

Mitigation

The vulnerability is fixed in Azure Service Fabric Plugin version 1.7. Users should update to this version immediately. No workaround is available; upgrading is the only remediation [1][3].